The Verizon Data Breach Investigations Report 2025 delivers an uncomfortable figure: in the EMEA region, 29% of all confirmed data breaches are attributable to internal actors. Globally, people are the decisive factor in 60% of all breaches – through errors, manipulation or deliberate misuse. The greatest threat is not lurking somewhere on the dark web. It is sitting in the office next door, working from home, or handed in their notice last week.
Three Types of Insider Threats
Not all insider threats are the same. In practice, we distinguish three categories that require different defence strategies:
Malicious insiders act with intent. A disgruntled employee copies customer data before resigning. A technician sells access credentials to third parties. At Tesla, two former employees exfiltrated over 100 GB of internal data in 2023 – including social security numbers, addresses and customer banking details of more than 75,000 individuals. The data ended up with a German newspaper. Tesla obtained court injunctions, but the damage was done.
Negligent employees account for 55% of all insider incidents according to the Ponemon Institute. These are not malicious actors but people who click on phishing links, lose USB drives, misconfigure cloud storage or reuse passwords. The costs add up nonetheless: an average of 8.8 million dollars per year per organisation.
Compromised accounts arise when external attackers obtain valid employee credentials – via phishing, credential stuffing or infostealer malware. To security systems, the activity initially appears legitimate. This category is the most expensive: an average of 779,707 dollars per individual incident according to the Ponemon Report 2025.
The Costs Are Real
The Ponemon Report 2025 quantifies the average annual cost of insider incidents at 17.4 to 19.5 million dollars per organisation – depending on methodology and sample size. Containing an incident takes an average of 81 days. If an incident is not resolved within 91 days, costs rise to an average of 18.7 million dollars. Cash App (Block Inc.) had to pay a 15-million-dollar settlement following an insider breach in 2021 – a former employee downloaded financial reports on 8.2 million customers after his departure. Access had simply not been revoked in time.
Recognising Warning Signs
Insider threats often announce themselves in advance. Security teams should be aware of the following indicators:
- Unusual access patterns: Logins outside working hours, large data downloads, access from unknown devices or locations
- Access to unrelated systems: An employee from accounting suddenly browsing technical repositories or customer databases
- Combination of dissatisfaction and increased activity: Conflicts with supervisors, formal warnings or being passed over for promotion combined with rising data access
- Resignation plus data transfer: Bulk downloads, emails to personal addresses or USB usage in the weeks before the last working day
- Circumventing security controls: Disabling endpoint protection, using unauthorised tools, bypassing VPN
Six Measures That Actually Work
1. Enforce least privilege consistently. Every user receives only the access rights required for their current role. Role-based access control (RBAC) is the foundation – but only effective if permissions are reviewed regularly and adjusted immediately when roles change. Quarterly access reviews are the minimum.
2. User and Entity Behavior Analytics (UEBA). UEBA solutions create behavioural profiles for each user and detect deviations: unusual login times, atypical data movements, sudden privilege escalation. This provides early warning signals before damage occurs.
3. Data Loss Prevention (DLP). DLP systems monitor and control data flows – whether via email, cloud upload, USB or printing. Sensitive data (personal data, trade secrets, financial data) is classified and its uncontrolled transfer is blocked.
4. Immediate access revocation during offboarding. The Cash App case demonstrates this starkly: a former employee retained access and caused a breach affecting 8.2 million individuals. Offboarding processes must deactivate all accounts, tokens, VPN access, cloud services and physical access media within hours – not days.
5. Security culture rather than mere compliance training. Annual mandatory training does not change behaviour. What works: regular, brief awareness measures, realistic phishing simulations, clear reporting channels without blame, and visible commitment from senior management. Carnegie Mellon CERT emphasises that an open reporting culture demonstrably uncovers insider incidents earlier.
6. Separation of Duties. Critical operations – payment approvals, system changes, user administration – require sign-off from at least two individuals. This significantly reduces the risk from both individual malicious actors and compromised single accounts.
How Zerberos Protects Your Organisation
Insider threats require a different approach to traditional perimeter security. We support organisations in a targeted manner:
- Social engineering tests: Realistic phishing campaigns and physical social engineering tests reveal where your organisation is vulnerable
- Risk assessment: Systematic analysis of your access controls, offboarding processes and data classification
- Security awareness: Tailored training programmes customised to your organisation and industry
- Insider threat programme design: Development of processes, policies and technical controls against internal threats
Contact us for a no-obligation initial consultation.
Sources
- Verizon, 2025 Data Breach Investigations Report, verizon.com/business/resources/reports/dbir/
- Ponemon Institute / DTEX Systems, 2025 Cost of Insider Risks Global Report, ponemon.dtexsystems.com
- CISA, Insider Threat Mitigation Guide, cisa.gov/insider-threat-mitigation
- Carnegie Mellon University, CERT Insider Threat Center, sei.cmu.edu/about/divisions/cert
- TechCrunch, Tesla says data breach impacting 75,000 employees was an insider job, August 2023
- TechCrunch, Block confirms Cash App breach after former employee accessed US customer data, April 2022