Insider risks often go unnoticed, develop over months or years, cause significant damage and currently represent one of the biggest challenges for companies. How can they be sustainably eliminated?
An insider risk refers to the risk that a trusted individual within a company – whether through negligence, error or with intent – compromises security, data or operations.
In this article, we present three real-life cases and how the risk could have been prevented.
Case 1: Daniel M. and the sold algorithms
Daniel M. was an IT security administrator at a financial technology company. For years he had unrestricted access to sensitive client data and algorithms for trading platforms. Facing financial difficulties, he began gradually extracting data – using private cloud storage and USB sticks, and while doing so manipulating access logs. A routine audit detected unusual data transfers whereby the subsequent digital forensic investigation revealed that Daniel M. had copied proprietary software codes over several months and sold them to a foreign competitor.
Case 2: Private banker with printouts
Not only is digital data at risk, physical documents are also a common entry point for insider risks. A private banker at a large foreign bank resigned, and before leaving, he printed extensive lists of client relationship data: names, account balances and investment profiles. His goal was to take these client relationships directly to his next employer. The theft was only discovered when several customers reported being contacted by their former advisor.
Case 3: The IT administrator’s ‘logic bomb’
An IT administrator at an insurance company, following disagreements with colleagues, was on the verge of having their employment terminated. Unnoticed, they planted a ‘logic bomb’ – a programmed destructive algorithm that activates after a specific time or condition. Weeks after his departure, the algorithm caused massive server outages by manipulating and deleting central databases. The investigation revealed that the malware had been deliberately implemented. Restoring the data and addressing the damage cost the company millions.
Insider risk management in focus: fewer incidents, rising costs
The “Cost of Insider Risk 2025 Global Report” by the Ponemon Institute shows that companies worldwide are increasingly investing in insider risk management to reduce security incidents, lower costs and improve response times. The share of IT security budgets allocated to this area has doubled from 8.2% in 2023 to 16.5% in 2024. At the same time, 81% of companies have an insider risk management programme or plan to implement one.
Companies that have implemented insider risk management report benefits such as time and cost savings in handling incidents and a strengthening of their brand reputation. The average time to contain an incident decreased for the first time – from 86 days in 2023 to 81 days. Faster response times were found to significantly reduce costs while the frequency of insider incidents is also declining. In contrast, the average annual costs are rising, now reaching USD 17.4 million. The report identified that operational disruptions and direct and indirect labour costs are the most significant consequences of an insider incident. Despite growing budgets, many companies still consider their funding to be insufficient, and nearly half expect to increase budgets by 2025, with a stronger focus on preventive measures.
Negligence or employee errors account for the highest average annual costs of insider incidents. While the average number of such incidents has slightly decreased in recent years, the costs of addressing them have risen significantly – from USD 505,113 in 2023 to USD 676,517 in 2024
| Incidents 2024 | Average cost per incident | Average annual costs |
| Negligence / errors | 676,517 |
8,828,292 |
Criminal activity |
715,366 |
3,719,898 |
Credential theft |
779,707 |
4,834,190 |
Table 1: Average annual costs per incident for the three types of incidents (in USD)
‘Stranger danger!’ The findings of the previous year’s report (“2023 Cost of Insider Risks Global Report”) highlighted a worrying increase in insider incidents and rising costs for addressing them. According to that study, cyber budgets were misaligned: 88% of companies invested less than 10% of their IT security budgets in managing insider risks, with 91.8% focused on external risks – even though more than half of companies identified social engineering as one of the main causes of external attacks.
Intelligent risk detection between security and privacy
In an increasingly digital work environment, User and Entity Behaviour Analytics (UEBA) is being used to detect unusual activities by employees and systems through AI and machine learning, while reducing false positives through context-based analysis. However, UEBA raises risks, for example employees may feel they are under constant surveillance.
Sustainably eliminating insider risks
Insider risks are diverse – ranging from data theft to the unnoticed removal of documents to deliberate sabotage.
‘Culture eats technology for breakfast’
Many companies focus on technology but overlook the critical human factor. Ultimately, it is not systems but employees – with individual motives and influences – who may come under pressure and make potentially life-changing mistakes. Companies that rely solely on isolated technical solutions, neglect interpersonal aspects or create a ‘surveillance mentality’ are more likely to foster distrust than collaboration. An effective insider risk management strategy requires a holistic approach: a strong corporate culture and clear governance structures, with technology as an enabler. Only when employees see themselves as part of the solution can insider risk be sustainably managed.
This article was originally published on the Economic Crime Blog of the Lucerne University of Applied Sciences and Arts.
