An often repeated number, usually presented as if it were a long established fact, is that the so-called Insider Threat is responsible for 70% of all computer attacks. The U.S. Federal Bureau of Investigation (FBI) is usually “cited” as the source.

Unfortunately, the FBI doesn't confirm that number and probably never did. The Bureau however does mention Insider Threats¹⁾,²⁾ on a frequent basis and for a good reason, it's just that that these Threat Actors don't break into computers - they don't have to.

Quoting Robert S. Mueller, III: 'These cases illustrate the growing scope of the “insider threat”—when employees use their legitimate access to steal secrets for the benefit of another company or country.'

An insider in the sense of an expert knowing a secret is able to boil the really valuable information down into a few words, numbers, or names. Such a person can leak the gist of such a secret verbally in as little time as it takes to drink an espresso in a cafe. This Insider Threat has nothing to do with computers, since stealing ideas is something people always did, hence this being the subject of many considerations, publications as well as contracts.

Other threat actors called Insider Threat are in fact just someone with the means to access internal resources from the inside of an organization. The permissions for accessing the respective computer resources have almost always been granted to that person by following the official procedures. On the other hand, using available digital resources is what they were told to do in order to get their work done. So how can one tell who is an Insider Threat and who is simply a productive individual?

Insider Threats are either created for a target itself or for an employee with access to the targeted company. It is not uncommon for underpaid employees to reconsider their options once they get ideas about the value of the data they work with. Said value may be everything from data usable as blackmail material, results of the different stages in research and development efforts, or simply a little bit of a helping hand for delaying said R&D program.

The first problem is to notice a threat that becomes danger; Insider Threats are no exception.

In today's world, the mightiest intelligence services learn from news on TV that one of their contractors was walking out with Compact Disks³⁾ full of classified data. Stories like this leave the impression that this problem is hard to solve, which in fact it is.

A plethora of attempts to solve the problem using software updates, anti-virus solutions, data leak prevention appliances, and working HTTP proxy servers requiring Windows Domain authentication, have unfortunately only demonstrated their cost, but rarely their value.

The above diagram from a FBI survey in 2003 suggests that the monetary losses caused by Insider Threat Actors are almost neglectable when compared to other attacks on the IT. So why even bother?

This table illustrates that a 3^rd of all respondents admit to have no idea where all those attacks came from. The larger values in the column for 1-5 incidents probably includes a number of respondents who didn't want to appear incompetent or not being in control.