Insider Threat Investigations

When the threat already has access, we find it, quietly.

Data theft, sabotage, leaked secrets, and misuse of access by employees, contractors, and departing staff. Investigated discreetly by former FBI agents and attorneys, and documented for court. Licensed in New York State.

Former FBIAttorney LedLicensed in New York State

The Scale of the Problem

The person with the most access is the hardest to see.

Insiders already hold the keys, so the usual defenses look right past them. The figures below come from the largest ongoing study of insider risk.

$19.5M
average annual cost of insider risk
67 days
to detect and contain the average incident
47%
of incidents are malicious or involve stolen credentials
123%
rise in insider risk cost since 2018

Source: Ponemon Institute and DTEX, 2026 Cost of Insider Risks Global Report.

Who and What

Most insiders are careless. Plenty are not.

Negligence causes more insider incidents than anything else, but that is only part of the picture. Nearly half of all incidents involve a malicious insider or stolen credentials, which is deliberate wrongdoing that hides behind a legitimate login. Verizon reports that 60% of breaches involve a human element, whether a mistake, a stolen password, or misuse of access. Those are the cases that call for an investigation, not just an alert.

Where insider incidents come from
Negligence leads, but nearly half involve intent or stolen credentials.
Negligence · careless or mistaken staff53%
Malicious or criminal insider27%
Stolen credentials · outsider using a real login20%

Source: Ponemon Institute and DTEX, 2026 Cost of Insider Risks Global Report.

Why Speed Matters

The longer they have access, the more it costs.

The average insider incident takes 67 days to detect and contain, and only 13% are caught within the first month. That gap is expensive. An incident stopped inside 30 days costs a median of $14.2 million. Let it run past 90 days and that figure climbs to $21.9 million. Every week an insider keeps working undetected is a week of copied files, deleted records, and lost ground.

Average cost by how long the incident went undetected
Only 13% of incidents are contained within 30 days.
Contained within 30 days$14.2M
Average incident$19.5M
Runs past 90 days$21.9M

Source: Ponemon Institute and DTEX, 2026 Cost of Insider Risks Global Report.

Close to Home

In North America, the bill is even higher.

Insider risk is a global problem, but it lands hardest here. North American organizations carry the highest average cost of any region, well above the worldwide figure. For a business in New York, that is not a distant statistic. It is the going rate of a problem that starts with someone already on the inside.

Average annual cost of insider risk, by region
North American organizations carry the highest cost.
North America$24M
Global average$19.5M
Europe$18.6M

Source: Ponemon Institute and DTEX, 2026 Cost of Insider Risks Global Report.

What We Investigate

The cases we handle, and why they hide.

An insider threat is not always a villain. It can be a trusted engineer emailing source code to a personal account, a salesperson walking client lists to a competitor, a contractor with more access than the job required, or a departing employee cleaning out a shared drive on the way out. Because the person has legitimate access, standard controls read their activity as normal. That is exactly why these cases need a trained investigator rather than another dashboard.

The outside world plays a part too. Verizon reports that stolen credentials appear in 22% of breaches, which means an outsider can look exactly like a trusted employee once they are in. We investigate the malicious insider, the negligent one, and the outside actor operating under a stolen login, along with any overlap between them.

Data & IP theftTrade secret misappropriationDeparting employee exfiltrationMisuse of privileged accessSabotage & data destructionPayroll & expense fraudCollusion with outside actorsLeaks & unauthorized disclosure

Our Process

How an insider threat investigation works.

Every engagement is confidential and built to hold up if it ends in court or in front of a regulator.

01
Confidential consultation and scoping

We learn what you are seeing, define the questions that matter, and map the fastest path to answers, all under strict confidentiality.

02
Evidence preservation

We move quickly to secure devices, access logs, email, and file activity before anything can be wiped or overwritten.

03
Digital forensics and access analysis

We reconstruct what was accessed, copied, or sent, by whom and when, drawing on device, network, and account records.

04
Discreet field investigation and surveillance

Where the law allows, we corroborate the digital trail with lawful surveillance and fact development, including ties to competitors or outside actors.

05
Interviews and source development

We conduct structured interviews and develop sources to fill the gaps that records alone cannot.

06
Court-ready reporting and testimony

You receive a clear, defensible report, and when needed, expert testimony that stands up to cross examination.

Why Insight

Federal experience. Legal discipline. Evidence that holds.

Our team brings more than 70 years of combined investigative, intelligence, and legal experience to the private sector.

Former FBI and national security

Our investigators come from the FBI and national security backgrounds, trained in counterintelligence, insider threat, and complex data theft.

Attorney led, built for court

Attorneys guide every case, so the work meets the evidentiary standards a courtroom, arbitrator, or regulator will demand.

Licensed in New York State

We are fully licensed New York State investigators, working within state privacy and investigative law, including the limits on employee monitoring.

Discreet, neutral, defensible

We work quietly and report only what the evidence supports, which is what makes our findings hold up under scrutiny.

Questions

Common questions about insider threat investigations.

What counts as an insider threat?

It is anyone with legitimate access who harms the business through that access: an employee, a contractor, or a vendor. It covers deliberate acts such as data theft, trade secret theft, sabotage, and fraud, along with negligent exposure like mishandled files or a lost device. If someone on the inside is putting your data, systems, or reputation at risk, it is worth a look.

How do you investigate without alerting the person?

Discretion is the core of the work. We secure devices, logs, email, and file activity and build the case quietly before anyone is confronted, so evidence is preserved and the subject has no chance to cover their tracks.

Can you investigate a departing or former employee who took data?

Yes. A forensic review of company devices, accounts, email, and file, badge, and network activity can often show what was accessed or copied, when it happened, and where it went, including transfers to personal drives or a competitor.

Will your findings support termination or litigation?

That is the standard we build to from day one. Attorneys guide the process, evidence is preserved and documented properly, and our reports are written to support HR decisions, litigation, and cross examination, with expert testimony when it is needed.

The longer they have access, the more you lose.

Speak with a licensed New York State investigator today, in complete confidence. Former FBI, attorney led, and built for court.

Sources & Data

Ponemon Institute and DTEX Systems. 2026 Cost of Insider Risks Global Report. Figures include the average annualized cost of insider risk, time to contain, incident categories, and regional costs.
Verizon. 2025 Data Breach Investigations Report. Figures reflect the share of breaches involving a human element and the use of stolen credentials.
Statistics on this page reflect global and North American data as reported by the sources above.