Inside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden Risk - Dark Reading

INSIDER THREATS Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Inside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden Risk Security analyst Michael Robinson spent 14 months mining thousands of legal filings to uncover who malicious insiders really are, how they operate, and why traditional detection models keep missing them. Joan Goodchild,Contributing Writer, Dark Reading October 28, 2025 4 Min Read SOURCE: HENRIK5000 VIA ISTOCK After 14 months, 15,000 legal cases, and countless late nights, security analyst Michael Robinson distilled insider threats down to 1,000 instances of misconduct — real-world cases where trusted employees turned their access into a weapon. "I gave up television, books, even exercise," he says. "For 14 months, I went through every case that touched an insider threat — computer abuse, trade secret theft, espionage — and pulled out the data. It was like true crime for cybersecurity." That marathon of research formed the foundation for Robinson's upcoming Black Hat Europe briefing, "Understanding Trends & Patterns in Insider Threat: Analysis of 1,000+ Cases." He plans to reveal what he calls "the uncomfortable truths" about insider threats — truths that challenge many long-held assumptions about who the bad actors are, when they strike, and how they operate. Insider threat is a universal risk, but one that few organizations want to discuss publicly.  "We share information about ransomware and nation-state attacks, but there's almost no collective learning and sharing about insiders," Robinson says. "Companies treat it like a dirty secret." His study aims to change that. Drawing from open US court records across 84 federal districts, Robinson discovered a surprisingly broad distribution of insider incidents spanning over 75 industries, including IT, finance, manufacturing, government, and healthcare But what surprised him most wasn't where the crimes occurred — it was who committed them. One-quarter of the malicious insiders were top executives.  "These were senior people — vice presidents, presidents — trusted with access to the company’s most valuable data," he says. “That's a lot of foxes in the henhouse." Even more unsettling, nearly 20% were high-performing employees who had been promoted, sometimes multiple times.  "We think of insider threats as disgruntled underperformers," Robinson says. "But some of these folks were rock stars. They had ambition and opportunity — and they used both in the wrong way." After They Leave, the Damage Continues The research also dismantles another common assumption: that the danger ends when an employee departs. "Over half of the insiders in these cases quit voluntarily," Robinson explains. "They weren't fired — they just left of their own accord. But many came back to do harm after they were gone." Ex-employees often retained more access than companies realized, with cloud tools, shared passwords, and remote access systems outside corporate single sign-on environments. "Someone leaves and everyone breathes a sigh of relief: 'Thank goodness we dodged that bullet,'" he says. "But did you? Because they might still have access to your Salesforce instance or your cloud storage." Robinson's analysis also uncovered a growing sophistication in how insiders exfiltrate data. They are using multiple methods, he says.  "It's email and cloud or USB and mobile phones. I've seen cases where someone emailed files, copied them to a flash drive, and then took pictures of the screen for good measure," he says. "It's layered — and that makes it exponentially harder to detect." Collusion compounds the problem. In 31% of cases, insiders worked in pairs or small groups.  "Sometimes they'd say, 'You take this, I'll take that,'" Robinson says. "Spread the activity across multiple people, and suddenly it's buried in the noise on the network. Behavioral analytics tools can't easily flag that." Breaking the 'NIMO' Mindset If there's one barrier to progress that frustrates Robinson most, it's denial.  "Organizations fall into what I call NIMO — not in my organization,'" he says. "They believe they're good judges of character. But you can't manage insider risk with optimism." His session will challenge attendees to rethink assumptions and adopt measurable, data-driven defenses. "The first step to solving a problem is admitting you have one," Robinson says. "The second is understanding how bad actors really operate." Robinson believes the industry's reliance on user behavior analytics and AI has limitations.  "When someone gets promoted, their baseline of behavior changes. When collusion happens, behaviors spread across people. Those models break down," he says. Instead, Robinson advocates for more continuous visibility and longer log retention, since insider activity can unfold slowly over months.  "Companies often don’t keep logs long enough to see the full picture," he says. "If you don't have the data, you can't investigate what happened.” Robinson also warns companies not to drag out departures.  "When someone gives notice, thank them and end access immediately," he says. "You're leaving the door open to risk when you keep them on for another month." Ultimately, Robinson's goal is to move insider threat defense from intuition to intelligence.  "Everyone thinks they understand insider risk," he says. "But the data shows otherwise. We're making decisions based on anecdotes instead of evidence." Robinson's talk promises a rare empirical view into one of cybersecurity's most elusive problems.  "This research isn't about fear," he says. "It's about awareness. Once you see the patterns, you can finally start to predict and prevent them." He hopes the work will inspire the community to share information more openly — just as it does for external attacks.  "I don't need to know the company name or the person's identity," he says. "But if you tell me how they stole data, I can look for that same behavior in my own network. That's how we get better — together." Read more about: Black Hat News About the Author Joan Goodchild Contributing Writer, Dark Reading Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERSECURITY ANALYTICS In Cybersecurity, Claude Leaves Other LLMs in the Dust by Nate Nelson, Contributing Writer DEC 17, 2025 CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK Why a 'Near Miss' Database Is Key to Improving Information Sharing MAR 25, 2026 СLOUD SECURITY CSA Launches CSAI Foundation for AI Security MAR 24, 2026 ENDPOINT SECURITY Ransomware's New Era: Moving at AI Speed MAR 23, 2026 CYBER RISK With Government's Role Uncertain, Businesses Unite to Combat Fraud MAR 19, 2026 Read More The Edge Want more Dark Reading stories in your Google search results?