Information on internal security breaches is notoriously difficult to obtain, until an incident makes it to the public domain. Most organisations deal with incidents in private to protect their brand image. Most suppliers don’t point out the security weaknesses of the latest feature they have delivered to a business. These approaches mask the number of risks and the scale of the overall threat.

Internal security risks can be broadly split into those that are accidental and those that are malicious.