Why Insider Threats Are Rising

Shift from Perimeter to Identity (The Modern Threat): 

The evolution of cyber tactics has rendered traditional perimeter defenses inadequate, focusing adversarial attention on the weakest link: the user identity.

• Exploitation of Identity Over Infrastructure: Attackers have moved away from resource-intensive traditional external attack methods (such as malware and network exploits) to a more efficient strategy of exploiting "The Identity." They bypass hardened firewalls and exterior security controls by logging in with legitimate credentials (often obtained via phishing or credential leaks), mirroring historical espionage and deception tactics where spies used stolen uniforms to gain trust. 
• Identity as the Primary Attack Vector: The reliance on exploiting valid credentials confirms that identity is now the primary attack vector in the enterprise. This concern is substantiated by metrics: a staggering 73% of security leaders rank identity-based threats among their highest priorities for defense. 
• Social Engineering is the Top Initial Vector: The most common method for obtaining these legitimate credentials is through exploiting human trust. A high 78% of security leaders cite social engineering and phishing as their top initial concern, highlighting thecontinued effectiveness of human manipulation in initiating an insider or identity-based breach. 
• Pervasive Visibility Gaps Undermine Detection: Despite the clear recognition of identity risk, a significant operational gap exists. 67% of organizations still lack sufficient visibility into access behaviors and user lateral movement within their networks. 

What is an Insider threat: 

An Insider Threat is a security risk that originates from within the targeted organization, involving an individual who has, or previously had, authorized access to the organization's critical assets (data, systems, networks) and uses this access, either intentionally or unintentionally, to cause harm. These threats are a major concern, as 56% of organizations experienced an insider threat incident in the past year, highlighting their persistent nature. Security professionals are overwhelmingly concerned with both primary types: Negligent or Unwitting Insiders (97% concern) and Malicious Insiders (93% concern). The negligent insider, through human error like falling for a phishing attack, inadvertently compromises accounts, while the malicious insider intentionally misuses their high-level access for personal gain or revenge, often stealing proprietary data. The landscape is continually evolving and becoming more sophisticated, with some recent schemes having ties to larger nation-states or financially motivated campaigns. 

Why Are They Difficult to Detect: 

Insider threats pose an extraordinary danger due to their significant financial consequences and the challenges they present to security teams. The average time required to contain an insider threat incident is a lengthy 77 days, which allows actors to cause maximum damage. This protracted incident handling results in a massive financial drain, with average costs for an incident lasting 30 days reaching $7.12 million USD. Given this extraordinary cost and the potential for severe reputational harm, developing a robust insider threat program is crucial. 

The difficulty in identifying an insider attack is rooted in two main factors that leverage the insider’s trusted position:

• Security Tool Focus: Most traditional security tools and solutions are primarily focused on identifying and preventing external threats. They are not adequately designed or configured to detect suspicious or anomalous behavior coming from legitimate, authenticated users within the network. 
• Insider Knowledge: Many inside actors possess an intimate knowledge of the organization’s network settings, security policies, and procedures. This allows them to exploit known vulnerabilities, gaps, or shortcomings in the defense architecture without triggering immediate alarms. 

Insider Threats Powered by AI: 

The Unexpected rise of AI-powered insider threats presents a new "hybrid threat" model where AI systems use valid credentials to operate at machine speeds and impersonate users. This is dangerous because AI blurs the lines of trust, making malicious actions appear to benign by mimicking human patterns, and moves faster than traditional detection tools can track. Standard anomaly detection often fails, making immediate employee awareness and quick reporting of unusual activity the most critical defense. 

In 2025, 83% of organizations reported at least one insider attack, with average costs reaching $17.4 million annually and by 2028, one in four job candidates globally will be fake AI-generated personas designed to infiltrate organizations as "ghost employees" with legitimate credentials and implicit trust 

Actionable Steps:

• Prioritize Behavioral Analytics and Trust Reduction: Adopt systems that detect not just known patterns, but subtle anomalies, this must be paired with a Zero Trust strategy, enforcing Multi-Factor Authentication (MFA) and conditional access for everyone including automated tools to assume all access requires continuous verification. 
  
• Enforce Principle of Least Privilege (PoLP) Strictly: Limit all user and system access permissions to the absolute minimum required for the job function. This fundamental control minimizes the "blast radius" of damage should any human or automated account become compromised. 
• Establish AI-Specific Incident Protocols: Treat insider risk as a human-like threat, recognizing that compromise may originate from within. Crucially, prepare and practice specific procedures for slowing down and investigating when AI-like behavior (fast, subtle, anomalous actions) is observed, rather than waiting for a confirmed breach. 

Why they’re dangerous: 

The insider threat is the foremost financially detrimental risk, as the compromise vector originates from personnel with authorized access within the trust boundary 

Regular Employees :

Regular employees, despite having limited access compared to privileged users, still pose a risk through inadvertent misuse of data, such as sending confidential emails incorrectly or falling victim to social engineering attacks. However, the most significant danger comes from malicious employees who act with intent for financial gain, retaliation, or ideological reasons. These intentional and accidental actions underscore the diverse mechanisms by which regular employees can endanger the organization. 

The Coinbase incident in May 2025 exemplified an extreme malicious insider threat where attackers bribed customer support agents to exploit their legitimate access and steal customer data. The perpetrators then used this compromised data to launch targeted social engineering attacks, tricking customers into sending them cryptocurrency. 

Following the data theft, the attackers demanded a $20 million ransom from the company to prevent public release. Coinbase refused the demand, opting instead to fully reimburse all defrauded victims and offer a $20 million reward for information leading to the attackers' arrest. 

Third parties:

Third parties (vendors, subcontractors, and partners) represent a major insider risk due to their authorized access to your IT systems while often lacking direct security oversight. As a critical attack vector, third-party vendor compromise is the second costliest at $4.G1 million on average, because their weaker security can be targeted by hackers to breach your perimeter. A key example is the May 2025 Adidas data breach, which originated from an attack on a third-party customer service provider and compromised customer contact details including emails, phone numbers, and shipping addresses data highly exploitable in future social engineering campaigns. 

Privileged User :

In January 2024, Mercedes-Benz experienced a serious security oversight—an incident attributed to human error—when a highly privileged GitHub token was inadvertently published publicly online, granting unrestricted and unmonitored internal access. 

Researchers at RedHunt Labs discovered that this exposed token compromised a wealth of sensitive internal data, including the company’s source code, cloud credentials, SSO passwords, and system blueprints. A Mercedes spokesperson confirmed that the internal source code had been uploaded to a public GitHub repository, underscoring the risk posed by negligent insiders who accidentally leak critical infrastructure data. 

CrowdStrike insider threat incident: 

The CrowdStrike insider incident, confirmed November 21, 2025, highlighted the extreme risk posed by internal threats. An insider shared screenshots of internal dashboards and an Okta SSO panel link with the hacking group Scattered 

Lapsus$ Hunters for an alleged payment of $25,000 and authentication cookies. Although no systems were breached and no customer data was exposed, the leak of internal visuals and cookies is highly valuable to threat actors for social engineering or impersonation. This case proves that insider threats are an underestimated risk, bypassing robust external defenses when legitimate access is misused. 

Financial Impact: 

The total cost of insider threat incidents continues a significant upward trend, driven by direct costs (detection, mitigation, remediation), indirect costs (employee time), and lost opportunity costs, The total average cost of an insider threat incident increased by over 10G% between 2018 and 2024. Geographically, North American companies suffer the most, with average costs in that region rising from $11.1 million to $22.2 million in six years. Even non-malicious incidents are becoming drastically more expensive: the average total spending on a single insider threat incident caused by negligence rose by 3G.5% between 2022 and 2024. These rising costs underscore the urgent necessity for organizations to prioritize the timely detection and prevention of internal threats. 

Top industries at risk of insider threats: