Data on Insider Threats Reveal Hidden Risk Patterns TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAI-Generated Code Poses Security, Bloat ChallengesAI-Generated Code Poses Security, Bloat ChallengesbyRobert Lemos, Contributing WriterOct 29, 20256 Min ReadVulnerabilities & ThreatsOracle EBS Attack Victims May Be More Numerous Than ExpectedOracle EBS Attack Victims May Be More Numerous Than ExpectedbyAlexander CulafiOct 28, 20253 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLInsider ThreatsCybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.Inside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden RiskInside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden RiskInside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden RiskSecurity analyst Michael Robinson spent 14 months mining thousands of legal filings to uncover who malicious insiders really are, how they operate, and why traditional detection models keep missing them.Joan Goodchild, Contributing Writer, Dark ReadingOctober 28, 20254 Min ReadSource: Henrik5000 via iStockAfter 14 months, 15,000 legal cases, and countless late nights, security analyst Michael Robinson distilled insider threats down to 1,000 instances of misconduct—real-world cases where trusted employees turned their access into a weapon."I gave up television, books, even exercise," he says. "For 14 months, I went through every case that touched insider threat—computer abuse, trade secret theft, espionage—and pulled out the data. It was like true crime for cybersecurity."That marathon of research formed the foundation for Robinson's upcoming Black Hat Europe briefing, Understanding Trends & Patterns in Insider Threat: Analysis of 1,000+ Cases. He plans to reveal what he calls "the uncomfortable truths" about insider threats—truths that challenge many long-held assumptions about who the bad actors are, when they strike, and how they operate.Insider threat is a universal risk, but one that few organizations want to discuss publicly. "We share information about ransomware and nation-state attacks, but there's almost no collective learning and sharing about insiders," Robinson says. "Companies treat it like a dirty secret."His study aims to change that. Drawing from open U.S. court records across 84 federal districts, Robinson discovered a surprisingly broad distribution of insider incidents—spanning over 75 industries, including IT, finance, manufacturing, government, and healthcareRelated:Students Pose Inside Threat to Education SectorBut what surprised him most wasn't where the crimes occurred—it was who committed them. One-quarter of the malicious insiders were top executives. "These were senior people—vice presidents, presidents—trusted with access to the company’s most valuable data," he says. “That's a lot of foxes in the henhouse."Even more unsettling, nearly 20% were high-performing employees who had been promoted, sometimes multiple times. "We think of insider threats as disgruntled underperformers," Robinson says. "But some of these folks were rock stars. They had ambition and opportunity—and they used both in the wrong way."After They Leave, the Damage ContinuesThe research also dismantles another common assumption: that the danger ends when an employee departs."Over half of the insiders in these cases quit voluntarily," Robinson explains. "They weren't fired—they just left of their own accord. But many came back to do harm after they were gone."Ex-employees often retained more access than companies realized, with cloud tools, shared passwords, and remote access systems outside corporate single sign-on environments. "Someone leaves and everyone breathes a sigh of relief—'Thank goodness, we dodged that bullet,'" he says. "But did you? Because they might still have access to your Salesforce instance or your cloud storage."Robinson's analysis also uncovered a growing sophistication in how insiders exfiltrate data. They are using multiple methods, he says.  "It's email and cloud, or USB and mobile phones. I've seen cases where someone emailed files, copied them to a flash drive, and then took pictures of the screen for good measure," he says. "It's layered—and that makes it exponentially harder to detect."Collusion compounds the problem. In 31% of cases, insiders worked in pairs or small groups. "Sometimes they'd say, 'You take this, I'll take that,’" Robinson says. "Spread the activity across multiple people, and suddenly it's buried in the noise on the network. Behavioral analytics tools can't easily flag that."Breaking the "NIMO" MindsetIf there's one barrier to progress that frustrates Robinson most, it's denial. "Organizations fall into what I call NIMO—‘Not in My Organization,'" he says. "They believe they're good judges of character. But you can't manage insider risk with optimism."His session will challenge attendees to rethink assumptions and adopt measurable, data-driven defenses."The first step to solving a problem is admitting you have one," Robinson says. "The second is understanding how bad actors really operate."Robinson believes the industry's reliance on user behavior analytics and AI has limitations. "When someone gets promoted, their baseline of behavior changes. When collusion happens, behaviors spread across people. Those models break down," he says.Instead, he advocates for more continuous visibility and longer log retention, since insider activity can unfold slowly over months. "Companies often don’t keep logs long enough to see the full picture," he says. "If you don't have the data, you can't investigate what happened.”Robinson also warns companies not to drag out departures. "When someone gives notice, thank them and end access immediately," he says. "You're leaving the door open to risk when you keep them on for another month."Ultimately, Robinson's goal is to move insider threat defense from intuition to intelligence. "Everyone thinks they understand insider risk," he says. "But the data shows otherwise. We're making decisions based on anecdotes instead of evidence."Robinson's talk promises a rare empirical view into one of cybersecurity's most elusive problems. "This research isn't about fear," he says. "It's about awareness. Once you see the patterns, you can finally start to predict and prevent them."He hopes the work will inspire the community to share information more openly—just as it does for external attacks. "I don't need to know the company name or the person's identity," he says. "But if you tell me how they stole data, I can look for that same behavior in my own network. That's how we get better—together."Read more about:Black Hat NewsAbout the AuthorJoan GoodchildContributing Writer, Dark ReadingJoan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.See more from Joan GoodchildMore InsightsIndustry ReportsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Edge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsLatest Articles in The EdgeFrom Chef to CISO: An Empathy-First Approach to Cybersecurity LeadershipOct 28, 2025Pwn2Own Underscores Secure Development ConcernsOct 22, 2025|4 Min ReadThe Best End User Security Awareness Programs Aren't About Awareness AnymoreOct 22, 2025|8 Min ReadStreaming Fraud Campaigns Rely on AI Tools, BotsOct 21, 2025|3 Min ReadRead More The EdgeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Michael Robinson’s exhaustive research into insider threats, detailed in a Dark Reading feature written by Joan Goodchild, turns a field often shrouded in mystery into a data‑driven narrative. Over 14 months, Robinson combed through 15,000 U.S. legal filings from 84 federal districts to isolate 1,000 verified cases of employee misconduct that involved the theft or misuse of corporate data. This body of evidence—drawn from industries as varied as IT, finance, manufacturing, government and healthcare—reveals striking patterns that challenge conventional wisdom about who poses the greatest insider risk and how those risks can be detected and mitigated.

The findings contradict the common stereotype that the most dangerous insiders are disgruntled, underperforming subordinates. Robinson identified that one‑quarter of the offenders were senior executives—vice‑presidents, presidents or other top leaders—whose high‑level access gave them the means to move sensitive assets with relative ease. Equally alarming, roughly one‑fifth of the actors were high‑performing employees who had earned promotions, some multiple times, and leveraged that status to orchestrate breaches. These insights compel organizations to broaden their oversight beyond low‑ranked or disgruntled staff and to recognize that ambition and opportunity, even among “rock stars,” can be destructive when unchecked.

A second unsettling pattern is the persistence of insider threats after personnel departure. Over half of the offenders in Robinson’s study voluntarily left their positions; many of them continued to cause damage once they had exited. The research demonstrates that exit procedures are often lax, with continued access to critical systems such as Salesforce or cloud storage maintained through shared passwords, legacy credential vaults or remote VPN entries. Consequently, the risk does not abate at the moment an employee quits—it can linger for months or even years.

Robinson also uncovered an evolving sophistication in data exfiltration techniques. Insiders are no longer confined to a single channel; the most common methods combine email, cloud storage, USB devices, and mobile devices—a layered approach that increases the difficulty of detection. In 31 % of cases, collusion among a pair or small group of insiders was evident. By splitting the illicit work across multiple parties, perpetrators were able to embed their activity within normal network noise, thereby evading the pattern‑matching capability of conventional user‑behavior analytics (UBA) tools. When a promoted employee’s baseline of activity shifts, or when several individuals collaborate, the assumptions that underpin many behavioral analytic models break down.

The study’s title—“The Uncomfortable Truths” about insider risk—highlights a broader cultural malaise that Robinson calls NIMO (“Not In My Organization”). Many firms remain in denial, convinced they are uniquely immune because they believe they “know” their employees better than the competition. The data suggests otherwise: the threat is wide, heterogeneous, and not confined to any particular sector. As a result, companies should adopt a data‑driven, measurable approach to insider threat management, replacing intuition with evidence.

Robinson’s recommendations emphasize the need for continuous, comprehensive visibility and long‑term data retention. Insider behaviors can evolve over months, and snapshots of activity are insufficient for attribution. He points out that behavioral analytics alone—especially in environments where role changes or collusion alter the activity baseline—are inadequate. Enforced policy should require rapid revocation of access upon notice of resignation, elimination of shared credentials, and stringent audit logging of all privileged operations. By extending the retention window of logs, organizations can reconstruct events that occur long after the offending individual has left the company.

Finally, Robinson advocates for more open sharing of insider threat incidents among security practitioners, comparable to the robust information exchange that exists for external attacks. He emphasizes that anonymity in exchange is permissible; sharing the modus operandi suffices to help others spot similar patterns in their own networks. The ultimate goal, he says, is to shift insider defence from a narrative of fear and anecdote to one grounded in quantified evidence, enabling a more precise prevention strategy that accounts for the true breadth and sophistication of insider risk.