The cybersecurity conversation has fixated on external threats while the enemy within has grown exponentially more dangerous. The 2025 Ponemon Cost of Insider Risks Global Report delivers a sobering reality check: organizations now spend an average of $17.4 million annually resolving insider incidents—up from $16.2 million in 2023. More alarming? Only 65% of organizations with insider risk management programs say it was their sole security strategy that prevented data breaches.
The traditional assumption that most ERP breaches originate from external hackers isn’t just outdated—it’s financially devastating.
Today’s insider threat landscape spans three distinct categories. Negligent insiders account for 56% of incidents at $484,931 per breach—employees who misconfigure systems, click malicious links, or fail to follow protocols. These aren’t malicious actors; they’re human beings making costly mistakes in increasingly complex ERP environments.
Malicious insiders represent 26% of incidents but inflict deeper damage at $648,062 per incident. These are employees who deliberately abuse their legitimate access, often remaining undetected for months while systematically extracting valuable data from SAP, Oracle, or other critical business systems.
Most concerning are compromised credentials—only 18% of incidents but 55% of organizations’ primary concern. This category has exploded with sophisticated state-sponsored operations, particularly North Korean IT workers infiltrating Western companies.
When KnowBe4 revealed they’d unknowingly hired a North Korean IT worker who immediately began loading malware, it exposed massive blind spots in traditional hiring and access controls. This wasn’t isolated—CrowdStrike discovered similar activity across 150+ customer organizations in 2024, with data theft in half those cases.
These operatives use stolen identities, AI-generated photos, and remote desktop tools to maintain cover for over a year while extracting intellectual property. A recent DOJ indictment revealed one scheme generated $866,255 from just 10 companies while infiltrating 64 total organizations over six years.
Most ERP systems operate on dangerous assumptions: legitimate credentials equal legitimate users, and authorized actions are always authorized. This creates multiple failure points that sophisticated threats exploit systematically.
- Excessive privileges remain endemic. Organizations grant broad access for administrative convenience, creating toxic combinations where single users can create vendors, approve payments, and modify records. Traditional role-based access controls see individual authorized actions, missing dangerous cumulative effects.
- Segregation of duties monitoring typically focuses on initial setup rather than ongoing compliance. Users accumulate access through role changes and temporary assignments, creating dangerous privilege combinations that persist undetected. Advanced solutions now analyze access risks across all business applications down to the lowest securable object, enabling cross-application SoD management that traditional siloed approaches miss.
- Data-level visibility gaps represent the most critical weakness. Organizations spend $211,021 on containment but only $37,756 on monitoring—a reactive approach discovering breaches only after significant damage. Modern solutions employ behavioral analytics and risk quantification analyzing actual transaction patterns, not just permission structures.
- Time-based vulnerabilities compound every weakness. The average 81-day containment time means incidents exceeding 90 days cost $18.7 million versus $10.6 million for sub-30-day containment.
Consider how modern threats bypass traditional controls: A finance manager with legitimate accounts payable access also has emergency vendor master data access. During month-end, they create fake vendors, approve payments, and delete records—all within authorized permissions. Traditional systems see only authorized actions by authorized users.
Remote developers gradually copy customer data to personal cloud storage over months. Each action appears normal individually, but collectively represents massive intellectual property theft. Without behavioral analytics establishing normal patterns, this systematic exfiltration remains invisible.
The solution isn’t abandoning traditional access controls but augmenting them with comprehensive insider risk management. Organizations need visibility into actual usage patterns, timing anomalies, and contextual behaviors indicating potential threats.
What this means for ERP Insiders
Implement cross-application segregation of duties monitoring. Traditional SoD controls within individual ERP systems miss enterprise-wide risk exposure. Cross-application analysis identifies toxic privilege combinations spanning multiple systems. Organizations implementing comprehensive SoD monitoring report 373% ROI through streamlined access management. Solutions like Fastpath Access Control analyze risks across thirty different business applications, trusted by over a thousand customers and leading audit firms. Deploy automated tools analyzing real-time privilege combinations across your entire technology stack.
Deploy AI-powered behavioral analytics for anomaly detection. Over half of companies now use AI for insider threat detection, with 51% considering machine learning essential. Modern solutions establish behavioral baselines and flag anomalous patterns—unusual access times, abnormal data transfers, privilege escalation attempts. Risk quantification capabilities analyze financial exposure based on actual transaction patterns from system audit trails. Implement behavioral analytics moving beyond traditional access logs to pattern recognition and contextual analysis.
Establish zero-trust identity lifecycle management. Mature security programs utilize automated provisioning with integrated SoD and critical access checks as preventive controls. This becomes crucial given sophisticated threats like North Korean operatives maintaining cover for 14+ months. Automated workflow-driven processes with continuous verification prevent risks from entering systems initially. Implement provisioning requiring justification for every access request, automated background verification for remote workers, and continuous monitoring throughout employee lifecycles.
