A recent Cifas study delivered a finding that should stop any board conversation.
13% of employees at large companies have sold their corporate login credentials, or know someone who has. 43% of C-suite executives consider that behaviour justifiable.
This is not a story about a new threat. It is a story about a gap that has existed for years, that frameworks have addressed for years, and that organisations continue to carry. Because the way they approach cybersecurity was never designed to close it.
Insider risk is not primarily a technology problem. It is a governance and process problem. And the difference matters, because the solution to a technology problem looks nothing like the solution to a governance and process problem.
What Organisations Actually Do
Most organisations approach cybersecurity through three familiar workstreams.
They conduct compliance assessments, verifying that controls meet regulatory requirements, that documentation is in order, that the organisation can demonstrate adherence to the applicable standard or regulation.
They run security assessments, evaluating technical architecture, identifying vulnerabilities in systems and infrastructure, testing controls against known attack vectors.
They build remediation plans and roadmaps, prioritising what needs to be fixed, in what order, with what resources.
This is serious, necessary work. And across all of it, the human factor rarely appears as a formal risk category. Not as a structured process. Not as an accountability question. Not as something with a defined owner.
The assumption, rarely stated but consistently present, is that the organisation’s people are inside the perimeter. And the perimeter is what the assessment was designed to protect.
What the Numbers Actually Show
The Cifas finding is striking. But it does not stand alone.
The average annual cost of insider-related incidents reached $19.5 million per organisation in 2026, up 20% in two years. For large enterprises with over 75,000 employees, that figure rises to $24.6 million.
75% of those incidents are not malicious. They are driven by negligence, compromised credentials, and process failures. This is not a story about disgruntled employees stealing secrets. It is a story about an everyday workforce operating in environments where the controls around people are weaker than the controls around systems.
The regional picture adds another dimension. Verizon’s 2025 Data Breach Investigations Report shows that 29% of breaches in EMEA originate from internal actors, compared to 5% in North America. The difference is not cultural. It reflects stricter regulatory frameworks that require organisations to classify more incidents as internal.
And yet only 25% of organisations report having a mature insider risk programme with defined metrics and executive oversight.
The gap between the scale of the problem and the organisational response to it is not closing.
Where the Process Breaks Down
Insider risk does not emerge from a single failure. It accumulates across three distinct phases of the employment lifecycle, and most organisations have gaps in all three.
Before someone joins. Vetting processes rarely map to the level of access the person will hold. A candidate is screened for qualifications and references. The question of what systems they will access, what data they will handle, and what risk that access represents is rarely part of the same conversation. Access is granted based on role. Risk is assessed, if at all, after the fact.
While they are there. Most organisations have no systematic process for monitoring how employees behave over time. No defined signals that would indicate a shift worth investigating. No protocol for what happens when HR observes something that Security should know, or when Security sees an anomaly that HR context would explain. The two functions operate in separate frameworks, with separate vocabularies, and no defined moment where their information meets.
When they leave. Offboarding is the most consistently broken process in access governance. Credentials that should be revoked within hours remain active for days. Sometimes weeks. The employment ends. The access does not.
Each phase has a known control. Each phase is where organisations most commonly have nothing formal in place.
The Silo Nobody Owns
HR knows when someone is struggling. Security sees when access patterns change. Legal understands the liability exposure. Compliance tracks the regulatory requirements.
Each function owns a piece of the picture. None owns the full process.
This is not a failure of individual functions. Each operates within its defined scope, with its defined tools, reporting to its defined leadership. The problem is structural. The space between those functions, between hiring and access governance, between behavioural change and risk signal, between offboarding and deactivation, has no owner.
And in organisations where nobody owns a process, the process does not exist in any meaningful sense. It exists as a collection of assumptions. Each function assumes another has it covered. Nobody checks.
When an insider incident surfaces, the investigation typically reveals not a single point of failure but a sequence of moments where information existed, signals were visible, and no defined process connected them to a response.
The gap was not hidden. It was unowned.
What the Frameworks Already Know
This is not new territory. The controls exist. They have existed for years.
ISO 27001:2022 Annex A 6.1 addresses screening of personnel and relevant third parties before access to information and systems is granted. The control is explicitly preventive. Its purpose is to reduce insider risk before it materialises. Access, the standard states, should be based on suitability, trustworthiness, and risk, not urgency or convenience.
Annex A 6 goes further, covering the full employment lifecycle: terms and conditions that establish security responsibilities, a disciplinary process for policy violations, and defined procedures for termination and change of employment. The framework does not treat insider risk as a security operations question. It treats it as a people governance question.
NIST CSF makes the same point from a different angle. Relying on point-in-time human risk management, typically a consequence of checkbox compliance thinking, directly undermines the Identify and Protect functions of the framework. Both functions require a continuous, evolving understanding of the organisation’s risk environment. A one-time screening at hire and an annual awareness training do not constitute that understanding.
Both frameworks anticipated this problem. Both defined controls to address it. The question was never whether the knowledge existed.
The Question Organisations Are Not Asking
The Cifas research does not describe an unusual threat. It describes a predictable one.
When 43% of C-suite executives consider selling corporate credentials justifiable, the question is not whether insider risk exists in your organisation. The question is whether your organisation has a process designed to see it, and someone accountable for running that process.
Most do not. Not because the frameworks are unclear. Not because the statistics are ambiguous. But because insider risk sits in the space between functions, and the space between functions rarely has a named owner.
The organisations that close this gap do not start with a tool. They start with a question: who is responsible for this, end to end, across hiring, tenure, and offboarding? Not which department. Which person. With which mandate. Reporting to whom.
If your organisation cannot answer that question today, the gap is already open.
The Cifas number tells you how many people, in organisations like yours, have already walked through it.
Senad Džananović is a senior Cyber and AI Governance advisor with 20+ years of experience across Central and Eastern Europe. He works with boards, CISOs and risk managers to translate governance and regulatory requirements into systems that hold under audit, regulatory scrutiny and real incidents.