Inside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden Risk

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.Security analyst Michael Robinson spent 14 months mining thousands of legal filings to uncover who malicious insiders really are, how they operate, and why traditional detection models keep missing them.October 28, 2025After 14 months, 15,000 legal cases, and countless late nights, security analyst Michael Robinson distilled insider threats down to 1,000 instances of misconduct — real-world cases where trusted employees turned their access into a weapon."I gave up television, books, even exercise," he says. "For 14 months, I went through every case that touched an insider threat — computer abuse, trade secret theft, espionage — and pulled out the data. It was like true crime for cybersecurity."That marathon of research formed the foundation for Robinson's upcoming Black Hat Europe briefing, "Understanding Trends & Patterns in Insider Threat: Analysis of 1,000+ Cases." He plans to reveal what he calls "the uncomfortable truths" about insider threats — truths that challenge many long-held assumptions about who the bad actors are, when they strike, and how they operate.Insider threat is a universal risk, but one that few organizations want to discuss publicly. "We share information about ransomware and nation-state attacks, but there's almost no collective learning and sharing about insiders," Robinson says. "Companies treat it like a dirty secret."His study aims to change that. Drawing from open US court records across 84 federal districts, Robinson discovered a surprisingly broad distribution of insider incidents spanning over 75 industries, including IT, finance, manufacturing, government, and healthcareRelated:Students Pose Inside Threat to Education SectorBut what surprised him most wasn't where the crimes occurred — it was who committed them. One-quarter of the malicious insiders were top executives. "These were senior people — vice presidents, presidents — trusted with access to the company’s most valuable data," he says. “That's a lot of foxes in the henhouse."Even more unsettling, nearly 20% were high-performing employees who had been promoted, sometimes multiple times. "We think of insider threats as disgruntled underperformers," Robinson says. "But some of these folks were rock stars. They had ambition and opportunity — and they used both in the wrong way."The research also dismantles another common assumption: that the danger ends when an employee departs."Over half of the insiders in these cases quit voluntarily," Robinson explains. "They weren't fired — they just left of their own accord. But many came back to do harm after they were gone."Ex-employees often retained more access than companies realized, with cloud tools, shared passwords, and remote access systems outside corporate single sign-on environments."Someone leaves and everyone breathes a sigh of relief: 'Thank goodness we dodged that bullet,'" he says. "But did you? Because they might still have access to your Salesforce instance or your cloud storage."Robinson's analysis also uncovered a growing sophistication in how insiders exfiltrate data. They are using multiple methods, he says. "It's email and cloud or USB and mobile phones. I've seen cases where someone emailed files, copied them to a flash drive, and then took pictures of the screen for good measure," he says. "It's layered — and that makes it exponentially harder to detect."Collusion compounds the problem. In 31% of cases, insiders worked in pairs or small groups. "Sometimes they'd say, 'You take this, I'll take that,'" Robinson says. "Spread the activity across multiple people, and suddenly it's buried in the noise on the network. Behavioral analytics tools can't easily flag that."If there's one barrier to progress that frustrates Robinson most, it's denial. "Organizations fall into what I call NIMO — not in my organization,'" he says. "They believe they're good judges of character. But you can't manage insider risk with optimism."His session will challenge attendees to rethink assumptions and adopt measurable, data-driven defenses."The first step to solving a problem is admitting you have one," Robinson says. "The second is understanding how bad actors really operate."Robinson believes the industry's reliance on user behavior analytics and AI has limitations. "When someone gets promoted, their baseline of behavior changes. When collusion happens, behaviors spread across people. Those models break down," he says.Instead, Robinson advocates for more continuous visibility and longer log retention, since insider activity can unfold slowly over months. "Companies often don’t keep logs long enough to see the full picture," he says. "If you don't have the data, you can't investigate what happened.”Robinson also warns companies not to drag out departures. "When someone gives notice, thank them and end access immediately," he says. "You're leaving the door open to risk when you keep them on for another month."Ultimately, Robinson's goal is to move insider threat defense from intuition to intelligence. "Everyone thinks they understand insider risk," he says. "But the data shows otherwise. We're making decisions based on anecdotes instead of evidence."Robinson's talk promises a rare empirical view into one of cybersecurity's most elusive problems. "This research isn't about fear," he says. "It's about awareness. Once you see the patterns, you can finally start to predict and prevent them."He hopes the work will inspire the community to share information more openly — just as it does for external attacks. "I don't need to know the company name or the person's identity," he says. "But if you tell me how they stole data, I can look for that same behavior in my own network. That's how we get better — together."Read more about:Joan GoodchildContributing Writer, Dark ReadingJoan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.What Makes Ransomware Groups Successful?Zombie Projects Rise Again to Undermine SecurityFrom Power Users to Protective Stewards: How to Tune Security Training for Specialized EmployeesFrom Chef to CISO: An Empathy-First Approach to Cybersecurity LeadershipCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.