We have built a massive machine to stop data theft.

If an employee tries to download 5,000 sensitive files to a USB drive, we catch them (increasingly). We have User Entity Behaviour Analytics (UEBA), Data Loss Prevention (DLP) agents, protocols, and budgets dedicated to this single problem. It is a success story.

But this success has created a dangerous strategic blind spot.

By becoming experts at detecting Information Theft, we have inadvertently convinced ourselves that we are managing all insider risk. We aren’t. We are aggressively managing the one domain that generates the most logs, while the other seven remain largely unmonitored.

Here is why our focus is skewed, and why the risks of the next decade require a completely different approach.

The Taxonomy of Neglect

Practitioners generally recognise 8 distinct insider risks. Look at this list and ask yourself where your budget goes:

1. Information Theft (The industry focus)
2. Sabotage (Physical, Data, and IT/OT)
3. Workplace Violence
4. Terrorism (religious and issue-motivated)
5. Physical Theft, Diversion & Supply Chain Compromise
6. Foreign Interference
7. Espionage
8. Internal Control Compromise

I suspect 90% of your resources are dedicated to #1 (and maybe a bit to #8), leaving the other seven exposed.

The Evidence of the Gap

These “neglected” domains are no longer theoretical anomalies. For example:

#6 Foreign Interference (The “Imposter”) Increasingly, the most pervasive threat isn’t a spy stealing blueprints; it’s foreign interference like the 2024-2025 “North Korean IT Worker” fraud scheme.

• The Blind Spot: These trusted insiders don’t trigger DLP alerts because they aren’t trying to steal data—they are trying to keep their jobs.
• The Risk: They represent a pre-positioned sabotage force with “commit access.”

#2 Sabotage (The Kinetic Insider) In 2022, saboteurs cut the fiber-optic cables for the German Rail network in two separate locations.

• The Blind Spot: The precision of the cuts implied “insider knowledge.” No firewall or UEBA could stop the physical attack enabled by inside info.

The High Cost of “Silent” Risks

We focus on Information Theft because it is “Noisy” (spikes in logs). But the “Silent”, Low Probability High Impact (LHPI) risks often cost more.

Consider Société Générale. The rogue trader (Jérôme Kerviel) didn’t steal money directly; he compromised Internal Controls (Domain 8).

• The Fine: €4 MILLION (Poor compliance).
• The Loss: €4.9 BILLION (Control failure).

We spend millions optimising for the fine, while ignoring the bankruptcy-level risk.

3 Steps to Monitor the Other Seven Domains

We don’t need to throw away DLP, but we must pivot:

1. Re-tune UEBA for Context: Ingest Physical Access (PACS), HR, and OT data. A threat isn’t just “downloading files”—it’s an angry employee entering the facility at 3 AM.

2. Validate Identity, Not Just Activity: To catch the “Imposter,” move beyond background checks to biometric validation.

3. Monitor “Integrity,” Not Just “Confidentiality”: Detect changes to business logic (e.g., “Why was this sensor threshold changed?”), not just the movement of files.

The Takeaway

We have solved the “easy” problem of data leakage.

The “hard” problems—sabotage, fraud, and foreign interference—are still waiting for us.

It’s time to turn the lights on in the other seven rooms of the house.

Further Reading

• Curwell, P. (2026). Stop Looking For The “Lone Wolf”: New Research Reveals 31% Of Malicious Insiders Don’t Act Alone
• Curwell, P. (2025). Understanding Insider Threat Modelling for Accurate Detection
• Walsh, F., and Gow, D. (2008). Société Générale uncovers £3.7bn fraud by rogue trader.

As published on LinkedIn. 

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.