The Scale of the Insider Threat Problem
The Ponemon Institute's 2024 Cost of Insider Threats report found that insider incidents cost organisations an average of $16.2 million per year, up from $15.4 million in 2023. Verizon's 2024 DBIR attributed 35% of breaches to internal actors when including negligent insiders alongside malicious ones. The CERT Insider Threat Center at Carnegie Mellon found that 60% of data breaches involve insider access. Despite this, most security budgets are overwhelmingly focused on external threats — firewalls, EDR, and penetration testing — while insider risk monitoring remains an afterthought.
Real Cases: Tesla, Cash App, Twitter
In August 2023, Tesla confirmed that a data breach affecting 75,735 individuals was caused by two former employees who exfiltrated personal data including Social Security numbers, bank account details, and trade secrets to a German newspaper. Tesla sued and recovered the data, but the reputational and regulatory damage was done. In April 2022, Block (formerly Square) disclosed that a former Cash App employee downloaded reports containing customer data for 8.2 million users after leaving the company — their access had not been revoked. At Twitter (now X), a former employee was convicted in 2022 of spying for Saudi Arabia, accessing the private data of dissidents on the platform.
Why Traditional Security Misses Insiders
Insiders already have legitimate access. They are authenticated, authorised, and operating within the network. Traditional DLP relies on predefined rules about what sensitive data looks like and where it can be sent — but insiders know which rules are in place and how to circumvent them. EDR looks for malicious executables and known attack patterns, not an employee copying files to a personal cloud drive. Firewalls permit outbound traffic from authorised users by default. The fundamental problem is that these tools are designed to stop outsiders from getting in, not insiders from getting data out.
- DLP: insiders know the rules and work around them
- EDR: designed for malware detection, not data theft by authorised users
- Firewalls: permit outbound traffic from authenticated users
- Access controls: necessary but insufficient without egress monitoring
How ADX Catches Insider Exfiltration
BlackFog's Anti Data Exfiltration (ADX) technology monitors all outbound data flows at the device level, regardless of who is sending the data. It does not care whether the user is authorised — it cares whether the data transfer is authorised. If an employee attempts to upload customer records to a personal Dropbox, send files to an unrecognised email domain, or transfer data to a foreign server, BlackFog blocks it in real time. This is fundamentally different from DLP: instead of classifying data and setting rules, ADX treats all unauthorised outbound data movement as suspicious by default. In Tesla's case, ADX would have blocked the data transfer to the personal devices before the files ever left the network.
Frequently Asked Questions
What percentage of data breaches involve insiders?
The CERT Insider Threat Center at Carnegie Mellon found that 60% of data breaches involve insider access. Verizon's 2024 DBIR attributed 35% of breaches to internal actors including both malicious and negligent insiders.
What is the difference between ADX and DLP for insider threats?
DLP classifies data and enforces rules about where it can go — but insiders know the rules and can circumvent them. ADX monitors all outbound data flows and blocks unauthorised transfers regardless of who initiates them or what the data looks like. It is an egress-first approach rather than a classification-first approach.
How did the Tesla insider breach happen?
Two former Tesla employees exfiltrated personal data including Social Security numbers and bank account details for 75,735 individuals to a German newspaper in August 2023. They had legitimate access to the data as employees and bypassed existing security controls.