Inside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden Risk
Summary
Michael Robinson analysed 1,000+ real insider-threat cases distilled from 15,000 legal filings across 84 federal districts. His findings overturn common assumptions: senior executives and high performers are significant perpetrators, many insiders strike after leaving, and theft is often multi-method and collaborative. Robinson calls for longer log retention, continuous visibility, immediate access termination on notice and better sharing of incident patterns.
Key Points
- Study examined 1,000+ confirmed insider-misconduct cases compiled from 15,000 legal records over 14 months.
- About 25% of malicious insiders were senior executives with high-level access.
- Nearly 20% were high-performing, promoted employees rather than disgruntled underperformers.
- Over 50% of incidents involved insiders who left voluntarily, with many returning to harm organisations.
- Data exfiltration is multilayered: email, cloud, USB, mobile and even photos of screens.
- Collusion occurred in roughly 31% of cases, spreading activity across multiple people to evade detection.
- Traditional behavioural analytics and AI models often fail when baselines shift or when collusion spreads behaviours.
- Practical defences include immediate access revocation on notice, longer log retention and increased visibility.
Content Summary
Robinson’s research, presented at Black Hat Europe, mines open US court records to reveal who insider threats are and how they operate. The work challenges the ‘NIMO’ (‘Not in My Organisation’) mindset, showing insider risk is widespread across industries. Key surprises include the high proportion of senior leaders and promoted performers among perpetrators, and the persistence of risk after employees depart. The study highlights sophisticated exfiltration tactics and frequent collusion, and argues that current detection models and short log retention windows hinder investigations.
Context and Relevance
This piece matters because insider risk is one of the hardest threats to detect and often goes unshared between organisations. With cloud tools and complex remote access setups, former employees can retain entry points long after departure. The findings align with broader trends: privileged access abuse, the limits of behavioural tooling, and the need for incident intel sharing. Security teams, risk managers and execs should reassess offboarding, logging policies and cross-company information sharing.
Author style
Punchy: the article cuts through corporate optimism and forces evidence-based thinking — read the detail if you’re responsible for access, logs or incident response.
Why should I read this?
Short version: want to stop people who already have keys to the kingdom? This study gives you hard numbers and practical fixes — no doom-mongering, just the bizarre reality that C-suite and star performers often cause the damage, and that your logging and offboarding probably aren’t good enough.