The Three Types of Insider Threat
Industry research (Ponemon, Verizon, IBM) consistently divides insider incidents into three buckets:
- Negligent — well-intentioned employees who click the wrong link, misconfigure a bucket, or email data to the wrong address. ~60% of incidents.
- Compromised — legitimate accounts taken over by external attackers. ~25%.
- Malicious — employees deliberately stealing or sabotaging. ~15%.
Most public coverage focuses on the malicious category. Most actual damage comes from the negligent category. Your controls need to address all three.
What Negligent Incidents Actually Look Like
- Employees emailing customer data to personal Gmail to "work from home" — and forgetting it lives there forever.
- Developers pasting production credentials into public ChatGPT or stack-trace screenshots.
- Sales reps loading lead lists into unsanctioned SaaS tools ("shadow IT").
- Departing employees taking client lists, code, or playbooks — sometimes without realizing they're crossing a line.
- Misconfigured S3 buckets, public Google Drive folders, exposed Notion pages.
The common thread: convenience pressure. People take shortcuts when sanctioned tools feel slower than unsanctioned ones.
Controls That Actually Work
- Data Loss Prevention (DLP) — content-aware blocking on email, web uploads, USB. Modern DLP is much less noisy than the 2015 version.
- Cloud Access Security Broker (CASB) — visibility into shadow SaaS usage.
- Endpoint visibility — process monitoring, file-write tracking, removable-media controls.
- Identity governance — periodic access reviews, automatic deprovisioning, reduced standing privileges.
- Behavioral analytics (UEBA) — flagging "this person normally downloads 50 records, suddenly downloaded 50,000."
- Sane sanctioned tooling — if your sanctioned options are worse than the shadow alternatives, you've lost before you started.