From BBC to My Desk: My Story on the Pervasive Threat of Insider Attacks

I was listening to BBC news on my way back home from a recent trip down to Phoenix, Arizona when I heard of a specific episode that piqued my interest and reminded me of my personal experience before starting Revyz.

The broadcast detailed a chilling account from a BBC cyber correspondent who was directly propositioned by a criminal gang to help hack his own employer. The criminals offered him a cut of the ransom payment, claiming he "wouldn't need to work ever again" if he provided them with access to BBC systems. This direct attempt to leverage an insider for a malicious attack felt both surreal and deeply familiar. It reinforced a truth I've learned over two decades in data protection and security: the security perimeter is no longer the firewall; it's the person with a badge.

This experience brought me back to my own encounter with a potential insider threat. After my previous company was acquired, I discovered that our Jira roadmap was mysteriously changing on its own, with tickets being deleted. It was an eye-opening realization that even in our most critical business applications, a disgruntled or malicious insider could cause serious harm, and the data was simply gone forever. This personal incident, coupled with the rising tide of similar breaches, became the impetus for my co-founder and me to build our company, Revyz.

The Pervasive Threat from Within

The cybersecurity landscape has fundamentally shifted, with insiders—authorized individuals—becoming one of the most persistent and costly threats to organizations. Insider threats exist on a complex spectrum, primarily differentiated by their intent.

• The Negligent Insider: These individuals, who are not malicious, account for approximately 75% of all insider incidents. Their actions, such as using weak passwords or failing to follow security protocols, are often the result of carelessness or error. A clear example is the
  Ascension Health ransomware attack in May 2024, which began when an employee inadvertently downloaded a malicious file, providing the Black Basta ransomware group with the initial access needed to disrupt clinical operations across 142 hospitals.
• The Compromised Insider: This growing category involves external attackers who successfully exploit an employee's credentials, often through social engineering or phishing. The attacker then leverages the insider's legitimate access to conduct operations. A classic case is the
  Twitter (now X) compromise in July 2020, where hackers used a phone-based spear-phishing (vishing) campaign against employees to gain access to internal tools and hijack high-profile accounts for a cryptocurrency scam.
• The Malicious Insider: These are deliberate actions by current or former employees or contractors to disrupt operations or steal data. Their danger lies in their legitimate access and deep understanding of internal systems. The
  Coinbase Global Inc. breach in May 2025 is a chilling case study of this. External hackers bribed multiple outsourced customer service agents to gain access to sensitive customer data over a five-month period, demonstrating that attackers are now prioritizing human compromise over technical exploits. Another incident involved a former Yahoo employee who exfiltrated 570,000 files, including source code, after accepting a job offer from a competitor, highlighting the acute risk posed by departing employees.

The Soaring Financial Impact and Common Failures

The financial consequences of insider threats are severe and escalating. The average annual cost of managing and mitigating these threats reached a staggering

$17.4 million per organization in 2025. While negligent insiders account for the majority of incident volume, it is the compromised and malicious attacks that cause the highest financial damage. The average cost per incident for credential theft surged to nearly

$780,000 in 2025, and malicious incidents averaged over $715,000 per event.

A key reason for these high costs is

detection latency. The average time to contain an insider incident is a shocking 81 days. This prolonged "dwell time" gives actors ample opportunity to exfiltrate vast amounts of data. Incidents that take over 91 days to detect cost organizations an average of $18.7 million, proving that perimeter defenses are no longer sufficient.

Another common failure point is the lack of a strong

Principle of Least Privilege (PoLP). The Tesla data breach in May 2023 serves as a clear lesson on this. Two former employees were able to exfiltrate sensitive corporate data and the personal information of nearly 76,000 employees because they had overly broad access to systems. This incident demonstrated that granting wide-ranging access for the sake of "productivity" is a dangerous trap, which directly facilitates large-scale data theft upon an employee's departure.

The data from the past five years is conclusive: the threat from within is persistent, costly, and rapidly evolving. It's no longer just about external actors; it's about the people with legitimate access, both a blessing and a curse. This shift requires a new approach to cybersecurity that prioritizes privilege enforcement, real-time behavior analytics, and robust controls for the entire human lifecycle—from hiring to off-boarding. It is this exact problem—the need for a new way to secure critical corporate data from the inside out—that inspired the creation of Revyz.