Internal employees are responsible for as much as 80 percent of the malicious attacks at organizations -- at least according to the stats I've seen cited around the Internet. Yet that figure seem to be much higher than what I've observed in my professional IT management and consulting experience over the past two decades. Out of at least 100 security incidents -- a conservative number -- I've seen, only a handful were caused by employees.
In light of those statistics, I've wondered whether the problem of insider threats is really that bad or if my experience has been aberrant. Perhaps companies tend to avoid using outside security consultants when the problem is an internal issue. While researching a forthcoming paper on insider threats, I discovered just how significant a threat insiders pose. When you factor in the various ways insiders can harm your organization, both wittingly and unwittingly, that 80 percent figure becomes plausible.