The rise of insider threat

Paul Furtado at Gartner explores the hidden cyber-security threat already inside your organisation

 

When most organisations think of cyber-security threats, the focus is usually on the outside: ransomware groups, phishing scams, or state-sponsored attackers. They then look to bolster firewalls, deploy endpoint detection and chase down breaches in security. But in doing so, many are missing a growing reality: the biggest cyber-threat may already be inside the business.

 

Insider risk, the potential for an individual with authorised access to intentionally or unintentionally cause harm, is on the rise. Data shows a 28% surge in insider-driven data exposure incidents between 2021 and 2023. Even more alarming: just 1% of users are responsible for nearly 90% of data loss events. This concentration of risk is not theoretical. It plays out daily, from a rushed employee misdirecting sensitive files to a disgruntled insider walking out with trade secrets.

 

Unlike external threats, insider incidents are harder to detect, trickier to prove, and more damaging to organisational trust. With the hybrid workplace making sensitive data more portable than ever, this issue for CISOs and security and risk manager leaders can’t simply be patched or blocked at the perimeter.

 

The perfect storm for insider risk

The modern workplace has evolved dramatically in just a few years. Cloud-first architectures, collaboration platforms, and generative AI (GenAI) tools mean sensitive data moves faster, farther, and through more hands than ever before. Contractors, suppliers, and third parties extend the insider ecosystem beyond the traditional employee base.

 

This creates what many CISOs describe as the “perfect storm” for insider risk. Employees no longer just log into corporate systems; they connect from home networks, personal devices, and through SaaS tools outside IT’s direct control.

 

Meanwhile, the velocity of sensitive data has increased dramatically, flowing across platforms like Teams, Slack, and Google Drive, multiplying the opportunities for missteps. Motives are also evolving. From economic pressures to burnout, malicious intent can emerge where it’s least expected. At the same time, compromised credentials allow attackers to gain “insider” access without ever stepping into an office.

 

The impact of these trends is already evident. Insider incidents now account for 18% of cyber-losses across industries, and that number is rising.  

 

Not all insiders are the same

Insider risk is the potential for an individual with authorised access to act in a way that negatively impacts the organisation. Insider threat, by contrast, represents those risks that have escalated into concrete harm. While not every insider risk becomes an insider threat, every insider threat begins as a risk.

 

Understanding this continuum is critical. Insider incidents typically fall into three categories. The first is careless users. These employees mishandle data out of haste or lack of awareness, such as a health insurer falling victim to a phishing campaign due to a single misclick. The second category is malicious insiders. These individuals deliberately steal or sabotage, as seen in high-profile cases involving Tesla and Cisco employees exfiltrating sensitive information. The final category is compromised accounts. In these scenarios, attackers gain valid credentials, such as during the Marriott breach where customer data was exposed through a third-party application.

 

Each scenario has unique drivers and requires distinct defensive strategies; treating them all the same risks failure.

 

Predictive risk indicators

Despite increased investment in controls, many insider risk management programmes (IRMPs) remain reactive. Over-reliance on data loss prevention technologies, or attempts at intrusive employee monitoring, often prove costly and ineffective. These approaches not only miss the broader behavioural context that typically precedes incidents but also risk eroding employee trust.

 

Traditional technologies such as data loss protection (DLP) are inherently reactive, relying on predefined rules to block or flag activity once it has already occurred. This approach creates significant operational overhead, generating false positives that drain resources and erode productivity.

 

Predictive risk indicators (PRIs) provide an alternative. They integrate both technical and nontechnical signals into a more comprehensive assessment of potential risk. Technical indicators might include sudden increases in data movement, unusual access attempts, or abnormal login activity. Nontechnical indicators can be drawn from workplace patterns, such as sustained declines in performance, chronic absenteeism, or atypical working hours.

 

Individually, these data points may appear benign. When aggregated, however, they reveal patterns of behaviour that warrant proactive engagement. By leveraging PRIs, insider risk teams gain the ability to anticipate escalation and respond in a measured, timely way. Importantly, these indicators are developed and applied in accordance with legal and human resources frameworks, ensuring compliance with privacy regulations and organisational values.

 

Governance, indicators and communication

Effective insider risk management is built on three critical pillars, the first of which is governance. Insider risk cannot be managed in isolation within the security function. Robust programmes establish cross-functional structures that bring together security, human resources, legal, and business leaders. This creates alignment with organisational risk tolerance and ensures accountability for program outcomes.

 

The second pillar is the development of a defensible set of predictive indicators. These must be dynamic, regularly reviewed, and aligned with both business needs and privacy obligations. By combining technical and behavioural factors, organisations can achieve a balanced view that reduces false positives while increasing accuracy in identifying true risk.

 

The third pillar is transparent communication. Insider risk programmes that lack openness risk alienating employees and undermining trust. Clear messaging about the purpose of the programme, the data being collected, and the safeguards in place is essential. When communicated effectively, insider risk initiatives can reinforce, rather than diminish, a culture of security awareness across the organisation.

 

Foresight as the sustainable defence

Insider risk demands a shift from reaction to anticipation. Surveillance-heavy practices and traditional controls are no longer sufficient. Predictive risk indicators provide a forward-looking framework that blends behavioural insight, governance and transparency, enabling organisations to protect data while preserving trust.

 

The choice is clear for CISOs and security and risk management leaders: remain reactive and exposed or adopt predictive approaches that reduce risk and strengthen culture. In the battle against the risk within, foresight is the only sustainable defence.

 

---

 

Paul Furtado is a VP Analyst at Gartner. Gartner analysts are  exploring these issues  in greater depth at the Gartner Security & Risk Management Summit taking place in London between 22 and 24 September 2025

 

Main image courtesy of iStockPhoto.com and Andrii Yalanskyi