Why every organization needs a strategy for combating security breaches caused by authorized users.
Well-funded hackers with sophisticated tools strike fear in everyone responsible for cybersecurity. For instance, the Russian cybercrime group Trickbot has extorted more than $833 million in cryptocurrency in ransomware attacks. Other notorious gangs include North Korea’s Lazarus Group, Russia’s FIN7, the Magecart Syndicate and Evil Corp.
As menacing as these groups may sound, Stephen in sales and Ellen in engineering are likely to pose more imminent threats.
Security experts say the top threats to cybersecurity come from inside an organization, with insider-related incidents accounting for almost 60 percent of all data breaches. Various studies suggest that 95 percent of data breaches involve some element of human error.
Insider threats are as costly as they are common. According to the Ponemon Institute’s 2025 Cost of Insider Risks Report, the cost of insider threats continues to rise, reaching an average of $17.4 million in 2024, up from $16.2 million in 2023. Costs have increased even though the time required to contain insider incidents has dropped slightly, from an average of 86 days to 81 days.
Common Insider Threats
What constitutes an “insider threat”?
Most people think of employees, contractors and other users who deliberately abuse their authorized access to systems and data. Some will steal data or destroy systems because they are disgruntled or under financial stress. Employees may also take data when they leave the company because they believe they are entitled to it.
However, breaches are more likely to result from employees who unintentionally mishandle sensitive data or commit policy violations with “workarounds” that bypass the IT process. Common risky behaviors include sending files to personal email accounts, downloading data to a memory stick or consumer-grade cloud storage site, and writing down passwords. The problem tends to be most acute among work-from-home users, who have fewer security measures and less oversight of their activities.
Third-party vendors with privileged network access also create significant vulnerabilities — industry experts estimate that about 60 percent of all data breaches can be attributed to a vendor. These vulnerabilities often occur when vendors share logins and passwords with other members of their team, or have weak internal security practices that put credentials at risk.
The Right Security Strategy
Given the number of high-profile data breaches caused by insider threats, organizations should take steps to mitigate that risk. An important starting point is to develop a risk management strategy and establish security policies and best practices. Regular security awareness training can help users understand their role in maintaining strong security and discourage them from bypassing security policies.
Organizations should follow a least-privilege access policy in which users are only given access to the systems and data they need to do their jobs. Access privileges should be reviewed regularly and revoked when no longer needed. Ideally, organizations should implement a zero-trust security architecture that continuously authenticates users.
Organizations should also implement tools to protect user credentials — particularly privileged credentials. A password vault provides a centralized place for storing and securing passwords and other “secrets,” and allows the creation of one-time passwords that cannot be shared or reused.
Modifying behavior through education and policy isn’t enough, however. Organizations must also have the right security tools to prevent breaches and identify potential vulnerabilities.
The Value of AI
Insider threats are notoriously difficult to detect, given that they are caused by users who have legitimate credentials. However, AI-powered tools are proving highly effective at identifying anomalies and behavior patterns that are indicative of insider attacks.
According to research, the most effective insider threat detection categorizes behavioral features into several patterns, including user-related, role-related, time-related, activity-related and email-related types. These classifications enable machine learning algorithms to distinguish between normal activities and possibly malicious behavior, achieving accuracy rates as high as 99.8 percent.
While these tools show great promise, organizations need a multi-layered approach to security that combines training and policy enforcement with technology. A security-aware culture remains one of the most powerful tools for preventing insider threats. Organizations should also adopt a strategy that balances security with privacy and operational efficiency to reduce the temptation for users to take shortcuts that put systems and data at risk.
