The threat of insider risks has been a highly-discussed topic in the security industry, especially as incidents of workplace violence and political unrest are more highlighted. Insider risks can affect an organization’s physical security, cybersecurity and/or reputation, making them a significant business concern.
While some may think of insider risks as violent, intentional incidents that make headlines, many instances are far from these sensationalized occurrences. Instead, they often occur in average, everyday tasks, unnoticed until it is too late.
“Every day, organizations face a spectrum of insider risk, from accidental missteps to deliberate sabotage,” states Dr. Margaret Cunningham, Vice President of Security & AI Strategy at Darktrace. “The high-profile cases we see in headlines — sabotage, bribery, espionage — are real and damaging, but they’re relatively rare. The daily reality is far more mundane: employees forwarding files to personal accounts, bypassing controls to meet deadlines, or uploading sensitive data into unsanctioned AI tools. These ‘tiny crimes’ are normalized behaviors that, at scale, create significant organizational risk.”
Fortinet’s 2025 Insider Risk Report: The Hidden Cost of Everyday Actions report reveals that in terms of cybersecurity, insider risks have become one of the greatest challenges organizations face. The report emphasizes that unlike “bad actors using compromised credentials, insider risks are often woven into daily workflows,” which could compound the security incidents and exposures due to frequent repetition.
Furthermore, the report found that 77% of organizations have experienced insider-related data loss in the last 18 months. Additionally, 21% reported more than 20 instances in that time frame.
“Insider threats are one of the most challenging threats to protect against as an IT professional, and it takes a multi-layered approach to effectively mitigate these risks,” says Darren Guccione, CEO and Co-Founder at Keeper Security. “Because some roles are more sensitive in nature, robust access controls are necessary. Standard zero trust approaches can be used to protect most information. Instead of relying on traditional perimeter-based security measures, zero trust assumes no implicit trust, so verification is required from anyone or anything trying to access resources. Essentially, zero trust removes the protected boundary or the ‘safe’ zone.”
Financial Concerns of Insider Risks
“Insider threats are a serious cyber threat because they originate from individuals within an organization who have authorized access, making them difficult to detect and potentially causing severe damage to an organization’s finances, reputation, and operations,” explains Matthieu Chan Tsin, Senior Vice President, Resiliency Services at Cowbell. “Insiders can exploit their privileged positions to steal data, disrupt systems, or facilitate external attacks, leading to financial losses, legal issues, and breaches of sensitive information.”
The report discusses the financial repercussions of insider risks, including immediate remediation, downtime, regulatory penalties and reputational impact in its calculations. According to the findings, 41% stated their “most serious insider incident” led to $1 million to $10 million in damages. 9% reported even higher losses.
Senior Fellow at Sectigo Jason Soroko dives into these costs, asserting, “The rising cost of recovery after an insider attack is driven by the complexity of IT environments, the adoption of new technologies like IoT and AI, and inadequate security measures such as systems using weak authentication. These factors make detecting and mitigating insider threats more challenging, leading to more severe and costly breaches. Expenses escalate due to system restoration, data recovery, legal fees, regulatory fines and reputational damage control.”
How to Determine an Intentional Threat From an Accident
With 62% of incidents originating from human error rather than intentional attacks, the report reveals that “the greatest risk often comes from ordinary employees making small but consequential mistakes.” So how can organizations tell the difference between intentional attacks and human error?
Chad Cragle, Chief Information Security Officer at Deepwatch, explains, “When it comes to detecting malicious or unintentional insiders, you don’t look for a single smoking gun — you look for the smoke. It might be unusual file transfers at odd hours, a contractor probing systems outside their scope, or small anomalies that, when repeated over time, form a concerning pattern. Effective detection involves more than just collecting logs; it’s about correlating signals across systems, establishing behavioral baselines, and highlighting anomalies in context. It’s about spotting that midnight data transfer connected to an unusual login location, the use of an unapproved tool, and linking these clues quickly enough to intervene before damage occurs. The challenge is finding the right balance: staying vigilant without turning the workplace into a surveillance state.”
https://www.securitymagazine.com/articles/101964-security-leaders-share-why-77-organizations-lose-data-due-to-insider-risks