The Insider Blind Spot

In December 2021, a former Cash App employee downloaded internal reports containing sensitive customer data after their employment had already ended. Their credentials had never been revoked. Block, Cash App’s parent company, could not account for how long the former employee had retained access after their departure. By the time the breach was identified and disclosed to the SEC, data on 8.2 million customers had been exposed. The eventual settlement cost $15 million. The insider threat program had not caught it, because the failure was in offboarding, not in active monitoring.

That case is well documented. What is less visible in the public record is the physical security equivalent: the former employee whose building access was never deactivated, whose knowledge of principal movements, facility layouts, and security protocols remains live long after their credentials should have been cancelled. The digital offboarding failure and the physical one share the same root cause. The moment someone stops being a trusted insider is rarely the moment their access reflects that change.

Don’t have time to read? Listen here 👇

Research from the Ponemon Institute found that organizations averaged 13.8 negligent insider incidents in 2025, with organizations experiencing an average of 25 total insider incidents across all categories in the same period. IBM’s breach cost research puts the average malicious insider incident at $4.99 million in total damage and 287 days to identify and contain. Compromised credentials averaged 292 days to detect. Human error accounted for more than a quarter of all breaches.

IBM also reported that 83 percent of enterprises experienced at least one insider cyber attack in 2024.

Those figures describe a cyber problem on the surface. The physical security implications run underneath them. An employee who has decided to act against their organization does not stay in the digital realm. Access to facility systems, knowledge of principal movements, familiarity with protective protocols, and awareness of security gaps are all physical risks that a motivated insider carries without ever touching a keyboard.

The categories matter here because they require different responses. Malicious insiders act with intent: data theft, sabotage, or providing access to external actors. Negligent insiders create exposure through poor security hygiene or susceptibility to social engineering. Compromised insiders are individuals whose credentials have been stolen and are being used by outside actors without their knowledge. Conflating these three categories leads to misdirected resources and preventable escalations.

Large organizations carry a specific vulnerability that smaller operations do not. Distributed workforces across multiple geographies, heavy reliance on cloud infrastructure, and complex third-party contractor relationships all expand the potential surface area. In that environment, monitoring for behavioral anomalies across dozens of systems is a task that outpaces manual review.

There is also an institutional reluctance that compounds the problem. Security teams are often hesitant to flag behavioral concerns without airtight evidence, for fear of appearing invasive or damaging workplace relationships. HR and legal teams apply the same caution. The result is a gap between early warning signals and the point at which any action is taken.

That gap is where most insider incidents succeed. A motivated individual with access, time, and operational knowledge does not need weeks or months to cause serious damage. High-profile cases have shown consistently that the reputational and financial cost of an insider incident that could have been prevented significantly exceeds the cost of detection.

No single control eliminates insider risk. The programs that consistently outperform others share a common architecture: technology, process, and culture layered together rather than deployed in isolation.

Cross-functional insider threat teams are increasingly recognized as foundational to that architecture. When security, HR, legal, and risk management operate under a shared framework, behavioral signals get evaluated with full context. Response actions are more legally defensible and proportionate.

Least-privilege access remains one of the highest-impact controls available to corporate security programs. Auditing permissions on a regular cadence, and actually revoking access that is no longer operationally necessary, dramatically reduces the blast radius of both malicious and negligent incidents. Many organizations discover, often too late, that former project members retain access to sensitive systems long after their operational involvement has ended.

Continuous behavioral monitoring, supported by AI and machine learning, has become essential as the volume and complexity of user activity has grown beyond what manual review can handle. Effective tools establish baseline patterns and flag deviations that warrant investigation: unusual login times, abnormal data transfers, access to systems outside a user’s normal operational scope.

Offboarding discipline rounds out a mature program. Pre-employment background checks address the front end. Continuous evaluation, particularly for personnel with access to critical systems, surfaces financial distress, behavioral changes, and external conflicts of interest before they become security events. The Cash App case was an offboarding failure as much as anything else.

The detection layer that most insider threat programs have not yet built sits outside the corporate environment entirely.

Open Source Intelligence, systematic monitoring of publicly available signals including social media platforms, professional forums, and dark web activity, surfaces early warning indicators that internal monitoring alone will miss. A disgruntled employee venting on a public forum, a contractor posting about internal systems, or credentials appearing in a dark web breach dataset can all serve as actionable signals before any internal system is touched.

The value of OSINT operates on two timelines. Before an incident, it provides pre-emptive intelligence on behavioral warning signs that surface in spaces where people tend to be less guarded than they would be in a corporate communication channel. After an incident, it supports investigation by providing forensic context: external communications, timelines, and behavioral patterns that help reconstruct what happened and where the escalation began.

What makes OSINT particularly relevant to physical security teams is that the signals it captures are not confined to data and systems. A credible threat that begins as online rhetoric can materialize as a physical security risk. Organizations that have integrated OSINT monitoring into their broader insider threat program, rather than treating it as a standalone surveillance exercise, report measurably earlier detection of escalating behavioral risk.

Audit your offboarding process now. Most insider incidents involve access that was never properly revoked. A quarterly review of active credentials against current personnel status costs less than a single containment event.

Close the physical/digital gap in your insider threat program. If your program is structured around data exfiltration metrics alone, it will not catch the behavioral precursors that escalate to physical security risks. Cross-functional teams that include physical security leads in the behavioral review process consistently catch incidents earlier.

Add a public surface monitoring layer. Internal system monitoring tells you what someone is doing inside your environment. OSINT tells you what they are thinking and communicating outside it. The combination is significantly more predictive than either layer alone.

Vetting is not a one-time exercise. Background checks at the point of hire establish a baseline. Continuous evaluation, particularly for personnel in sensitive roles, is the mechanism that catches the changes that happen after someone joins.

The insider threat problem is not going away. Workforce complexity is increasing, trust relationships are more distributed than they were a decade ago, and the tools available to a motivated insider are more capable than they have ever been. Programs that treat insider risk as a checkbox exercise will keep underperforming.

The organizations managing this risk most effectively are the ones that have stopped treating the problem as a cybersecurity issue with occasional physical implications and started treating it as a physical security risk with a digital early warning system. That reframe, and the operational changes that follow it, is where the gap closes.