An insider threat is any risk to an organisation's data, systems, or operations that originates from someone with legitimate access, an employee, contractor, temporary worker, or third-party supplier. That access is what makes it dangerous. The threat does not require malicious intent; negligence and compromised credentials count just as much as deliberate sabotage.
Most security teams still picture the disgruntled employee walking out with a USB drive. That image is outdated. The actual threat profile is far wider. A supplier's engineer with VPN credentials. A call-centre agent in another country accepting a bribe. A legitimate user account quietly taken over by an external attacker who phished the password six weeks ago. All of these are insider threats, and all of them have happened recently, at organisations that believed they had reasonable controls in place.
The boundary between "insider" and "outsider" has blurred significantly. When an attacker steals credentials and logs in through a legitimate portal, your detection tools see a trusted user. That is precisely why the category demands its own programme, separate from perimeter-focused defences. Your attack surface now includes every person and entity that holds a key to your environment, regardless of whether they are on your payroll.
A malicious insider deliberately abuses the access their role provides, to steal intellectual property, commit fraud, sabotage systems, or sell sensitive data to competitors or foreign actors. They are often technically capable, patient, and methodical about covering their tracks. The damage they cause tends to be targeted rather than accidental, which makes it severe.
In March 2024, Google software engineer Linwei Ding was arrested after stealing more than 500 confidential files containing supercomputing architecture and AI chip designs, work representing over a decade of the company's research and development. He had been uploading files to a personal cloud account while simultaneously accepting an offer from a Chinese AI company. The theft was not detected through automated alerting alone; it came to light after investigators noticed suspicious travel patterns. By that point, hundreds of files had already left the building.
The danger with malicious insiders is precisely their legitimacy. Their access is real, their activity often looks normal at first glance, and they know which systems hold the most valuable data.
Negligence is the most common driver of insider incidents, and the least dramatic. No malice required. A user clicks a phishing link. Someone emails a spreadsheet containing customer records to the wrong address. A developer misconfigures a cloud storage bucket and leaves it publicly accessible. The harm is real; the intent is not.
According to the Ponemon Institute's 2025 data, organisations experience an average of 13.5 negligence incidents per year, more than twice the rate of malicious incidents. The average annual cost per organisation from negligence alone sits at $8.8 million. That is not a rounding error. It is your security team spending the majority of its insider-risk budget dealing with mistakes rather than sabotage.
The practical implication: training and security culture are not soft investments. They are directly measurable in incident frequency. Negligence will never drop to zero, but it can be reduced substantially.
A compromised insider is a legitimate user whose credentials have been stolen by an external attacker. The attacker then operates inside your environment using that account, inheriting whatever permissions the real user holds. From a detection standpoint, this is the hardest category to catch, and the most expensive when you miss it.
Change Healthcare is the clearest recent example. In February 2024, attackers used stolen credentials to access a Citrix remote access portal that had no multi-factor authentication enabled. Nine days later, ransomware was deployed. The breach ultimately affected approximately 193 million individuals and disrupted US pharmacy and claims processing for months. The initial entry point was a single set of unprotected credentials. One account. No MFA. That was enough.
Credential leak monitoring is not optional in this environment. Credentials circulate on criminal forums long before your team learns they were exposed.
Collusion involves an insider acting in deliberate coordination with an external party, typically for money, occasionally under coercion. Organised crime groups and nation-state actors actively recruit employees at target organisations. The insider provides access, data, or operational cover. The external party provides funding or direction. The distinction from a purely malicious insider is the coordination: there is an outside hand guiding the activity.
The Coinbase case from 2024-2025 illustrates this precisely. Overseas customer support agents accepted cash bribes to steal personal data belonging to approximately 70,000 users. The breach ran undetected for months. It only came to light in May 2025 when attackers attempted to extort Coinbase with a $20 million ransom demand, threatening to release the stolen data. Remediation costs reached as high as $400 million, and the company's stock fell 6%. The agents involved had legitimate access to customer records, that access is what made the scheme viable.
The average total annual cost of insider incidents reached $17.4 million per organisation in 2025, according to the Ponemon Institute. Put that in context: this is not the cost of a single catastrophic breach. It is the recurring annual cost of managing a category of risk that most organisations treat as secondary to external threats.
The numbers by incident type reveal something important about where to focus. Negligence costs $676,517 per incident on average. Malicious incidents cost $715,366. But compromised credentials, where an outsider operates as a trusted user, cost $779,797 per incident, the highest of the three. Detection difficulty drives that premium. The harder an incident is to find, the longer it runs, and the more damage accumulates before anyone intervenes.
Detection time is the critical variable. The average insider incident takes 81 days to detect and contain. Only 12% of incidents are contained within 31 days. That means the overwhelming majority of incidents are running for nearly three months before they are resolved. Incidents that took longer than 91 days to contain averaged $18.7 million in annual costs. The difference between catching something in week three versus week fourteen is not marginal, it is potentially tens of millions of pounds.
Frequency matters too. Organisations are not dealing with one or two insider events a year. The average breaks down to 13.5 negligence events, 6.3 malicious incidents, and 4.8 credential theft incidents, roughly 24 events per year across the three categories. At the same time, 83% of organisations reported at least one insider attack in the preceding twelve months, and 51% experienced six or more attacks in 2023 alone.
Think about what 81 days of undetected activity looks like in practice. A malicious engineer exfiltrating files for eleven weeks. A compromised account quietly mapping your financial systems for two months. A departing employee copying client data every evening for the last six weeks of their notice period. The clock matters enormously, and most organisations are losing that race.
The fundamental problem is trust. Insiders already have access. They do not need to break through a firewall or exploit a vulnerability to reach sensitive data, they can simply log in. That means the majority of traditional perimeter security tools are largely irrelevant to the threat. The attacker is already inside.
Malicious activity frequently mirrors legitimate behaviour. A data analyst downloading a large dataset is doing their job. A system administrator accessing multiple servers at once is doing their job. A contractor copying files to a shared drive is doing their job. Insider threats exploit this ambiguity. The activity looks normal because, much of the time, similar activity is normal. Distinguishing between a routine bulk download and an exfiltration event requires contextual baseline data that many organisations simply do not have.
Tool gaps compound the problem. Most SIEM deployments are configured to detect external attack patterns, brute force attempts, unusual source IPs, known malware signatures. They are not always tuned to correlate internal behavioural anomalies: the employee who accessed three systems they have never touched before, at 11pm, two days after handing in notice. Without dedicated indicators of compromise tailored to insider behaviour, alerts simply do not fire.
Dwell time reflects all of this. The 81-day average is not a failure of incident response, it is a failure of detection. By the time most insider incidents are identified, the damage is already done. In the Coinbase case, the breach ran for months before the extortion demand forced it into the open. In the FinWise Bank case, a former employee was accessing systems long after their departure because off-boarding had not fully revoked their credentials. Nobody noticed until the data had already been taken.
Human psychology also plays a role. Teams are reluctant to flag colleagues. Managers dismiss early warning signs as personality quirks. The cultural friction around monitoring people you work with is real, and it creates blind spots that technical tools alone cannot close.
Detection depends on knowing what unusual looks like for your environment. Some indicators are technical; others are behavioural. Both matter.
Consider a concrete scenario. An employee hands in their notice on a Friday. By Monday morning, they have downloaded 4,000 files from the shared project repository, a volume they have never approached before in two years of employment. They have also emailed several documents to a personal Gmail account. Neither action is technically blocked. Both are serious warning signs that require immediate investigation.
Bulk data downloads or mass file copies are among the clearest technical signals, particularly when they occur near resignation or termination dates. Pair that with uploads to personal cloud storage, Dropbox, personal Google Drive, personal OneDrive, and you have a pattern worth escalating.
Access outside normal role scope is another strong indicator. An accounts payable clerk suddenly browsing the engineering IP repository at 2am warrants attention. Repeated failed attempts to access restricted systems suggest someone testing boundaries. Requests for access escalation submitted shortly before a planned departure are especially telling.
Post-employment access attempts are a specific and serious signal. The FinWise Bank breach happened precisely because a former employee's access was not fully revoked at termination, they continued to reach internal systems and obtained personal data belonging to 689,000 customers. Any authentication attempt from a deprovisioned account should trigger an immediate alert.
On the behavioural side: disabling endpoint security tools, clearing audit logs, printing large volumes of documents without a clear business reason, or showing sudden interest in financial systems and HR records outside one's role scope. The OPEXUS case is instructive here. Two engineers who had received termination notices deleted 33 databases and stole over 1,800 government files. Both had prior hacking convictions that background checks had already flagged. The signals were present; the response was not.
No single indicator is conclusive. But a cluster of signals, unusual access patterns, data movement to personal destinations, and proximity to a departure or disciplinary event, warrants treating it seriously and acting quickly.
Zero trust operates on a simple principle: no implicit trust for anyone inside the network. Every access request is verified, regardless of where it originates. This means enforcing MFA across all access points, not just external-facing ones. Change Healthcare's Citrix portal had no MFA. A single stolen credential was enough for attackers to enter and, nine days later, deploy ransomware across a system serving 193 million people.
Grant the minimum permissions required for a role. Nothing more. Review access quarterly and revoke it the moment someone changes role or leaves. Privilege creep, where users accumulate access over time without it being reviewed, quietly expands your exposure. When Linwei Ding stole 500 files from Google, he did so using access granted for legitimate work. Scoping that access more tightly limits what any single insider can reach.
Off-boarding must be treated as a security-critical process, not an HR formality. Revoke all accounts, access tokens, API keys, and third-party integrations the moment someone leaves, or the moment a termination notice is given in high-risk cases. The FinWise Bank breach is a direct consequence of incomplete off-boarding. A former employee accessed internal systems after their departure and obtained data on 689,000 customers. Six lawsuits followed, with over $5 million in relief demanded. Document your off-boarding process, test it regularly, and assign clear ownership.
UEBA platforms establish a behavioural baseline for every user and entity in your environment, then alert on statistically significant deviations. Unusual login times, abnormal data access volumes, atypical system combinations, these become detectable signals rather than background noise. Without behavioural baselines, your security team is trying to spot anomalies without knowing what normal looks like.
DLP tools monitor and control data movement, blocking or flagging bulk transfers to external destinations, personal cloud services, or removable media. They are particularly effective against negligent insiders, who account for 13.5 incidents per organisation per year on average. DLP does not require intent to be useful; it catches accidental data exposure as readily as deliberate exfiltration.
Admin and root accounts carry disproportionate risk. PAM solutions add additional verification layers, record privileged sessions, and enforce just-in-time access grants, meaning elevated permissions are issued for specific tasks and expire automatically. In the OPEXUS case, two engineers with termination notices used their retained access to delete 33 databases and steal government files. Session recording and just-in-time grants would have materially constrained what was possible.
Insider risk does not stop at your organisational boundary. Every supplier or contractor with access to your systems extends your exposure. Marks & Spencer learned this in 2025 when social engineering targeting their supplier Tata Consultancy Services yielded password reset credentials. Ransomware followed. Online sales were suspended for five days, resulting in roughly £3.8 million in daily revenue loss and a temporary market capitalisation drop of approximately £750 million. Treat every third party with system access as an extension of your insider threat programme, apply the same access controls, the same monitoring, the same off-boarding discipline.
Negligence is the most frequent category of insider incident. Phishing simulation, clear data-handling policies, and a security culture where people feel comfortable reporting mistakes all reduce incident frequency in measurable ways. Training is not a compliance checkbox, it directly affects the 13.5 negligence events your organisation is statistically likely to experience this year.
Background checks are only useful if the findings are acted upon. The OPEXUS engineers had prior hacking convictions that were flagged during checks, and yet they were given access to federal systems. The check happened. The action did not. Establish clear policy on what findings disqualify access to sensitive systems, and enforce it without exception.
No single tool covers the full problem. Effective insider threat programmes layer several categories of technology, each addressing a different part of the detection and prevention challenge.
UEBA platforms are the analytical core. They ingest activity data across systems, build behavioural baselines per user and role, and surface anomalies that rules-based systems miss. If someone's behaviour shifts, access patterns, data volumes, system combinations, UEBA catches it. You need this when you have enough users that manual monitoring is impractical, which in most enterprises is immediately.
DLP solutions focus on data in motion. They monitor transfers to external destinations, flag policy violations in real time, and can block exfiltration attempts before data leaves the environment. Particularly valuable for organisations handling regulated data, financial records, health information, government data.
PAM tools control the accounts that carry the most risk. Session recording, just-in-time access, and credential vaulting make it significantly harder for privileged accounts to be abused, whether by their legitimate holder or by an attacker who has taken them over.
SIEM platforms centralise log data from across the environment and enable correlation across sources. On their own, SIEMs require careful tuning for insider threat use cases, but combined with UEBA feeds, they become considerably more effective.
Identity governance platforms automate access reviews and off-boarding workflows. They reduce the human error that leads to access persisting after someone leaves, the exact failure mode in the FinWise Bank case.
Endpoint detection tools catch data staging on devices before exfiltration occurs, large file aggregations, unusual USB activity, or attempts to disable security software.
An insider breach is not just a security incident. It is a regulatory event, one that carries notification obligations, investigation risk, and potential fines.
Under GDPR, which applies in EU jurisdictions and influences many MEA regulatory frameworks, a data breach involving personal information triggers a 72-hour notification obligation to the supervisory authority. Fail to notify in time, and you face fines of up to 4% of global annual turnover, before any consideration of the underlying breach. The Coinbase incident, involving roughly 70,000 affected individuals, would trigger these obligations in virtually every jurisdiction with a modern data protection law.
The UAE Personal Data Protection Law and Saudi Arabia's Personal Data Protection Law both require organisations to implement appropriate technical and organisational safeguards. An insider breach that exposes personal data can trigger regulatory investigation under either framework, particularly relevant for MEA enterprises managing regional customer data.
PCI-DSS requires financial services organisations handling card data to enforce least-privilege access and maintain detailed access logs. These are not aspirational goals; they are audit requirements. SOX compliance, relevant to US-listed entities including many MEA multinationals, mandates access controls on financial systems as a governance obligation.
Regulators are increasingly treating insider breaches as evidence of systemic control failure, not isolated incidents. That framing changes the calculus significantly.
Financial institutions and public sector agencies are not just common targets, they are the highest-value targets. Both sectors hold large volumes of sensitive personal data, financial records, and in the government's case, classified or operationally sensitive information. Both sectors also have complex access environments: legacy systems, third-party contractors, and staff with broad operational access.
The FinWise Bank case makes the financial services risk concrete. A former employee retained access to internal systems after leaving the organisation, obtained personal data belonging to 689,000 American First Finance customers, and triggered six separate lawsuits demanding over $5 million in relief. The root cause was straightforward: off-boarding did not fully revoke access. In a sector regulated by PCI-DSS and subject to intense supervisory scrutiny, that failure is both a security and a compliance problem.
In the public sector, the OPEXUS case illustrates a different dimension of the risk. Two engineers facing termination deleted 33 databases and stole over 1,800 government files from US federal systems. FOIA processing went offline for weeks. Prior convictions had been flagged during background checks, and not acted on. MEA government agencies face an identical risk profile: privileged insiders, sensitive systems, and the potential for significant operational disruption if access controls are not enforced.
Both sectors should treat insider threat programmes as core infrastructure, not optional enhancements.
Most insider incidents involving compromised accounts start the same way: stolen credentials sitting on a dark web forum weeks before anyone notices unusual activity internally. Defendis monitors dark web sources, infostealer logs, and threat actor channels so your team gets an alert when an employee credential is exposed — not 81 days later.
If you want to see how Defendis applies to your organisation's credential and threat exposure, book a personalised demo.
Negligent insiders are the most frequent category. Organisations experience an average of 13.5 negligence-related incidents per year, compared to 6.3 malicious incidents and 4.8 credential theft events. Careless behaviour, clicking phishing links, misconfiguring systems, or misdirecting sensitive files, drives the majority of insider risk by volume.
The average time to detect and contain an insider incident is 81 days, according to Ponemon Institute 2025 data. Only 12% of incidents are contained within 31 days. Incidents running longer than 91 days averaged $18.7 million in annual costs, making detection speed one of the most significant variables in determining total damage.
Costs vary by incident type. Credential theft incidents average $779,797 per incident, the highest of the three categories. Malicious incidents average $715,366, and negligence incidents average $676,517. At the organisational level, the average total annual cost across all insider incidents reached $17.4 million in 2025.
No. With 71% of organisations reporting at least moderate vulnerability and 83% experiencing at least one insider attack in the past year, elimination is not a realistic goal. The objective is early detection, rapid containment, and reducing the conditions that make insider incidents likely, through access controls, behavioural monitoring, and a security-aware culture.
.jpg)
