March 2026 Insider Threat Report
When deal teams think about data leaks, they picture external attackers — sophisticated hackers breaching firewalls, nation-state actors targeting Fortune 500s, ransomware gangs encrypting data rooms. The reality is more mundane and more dangerous: most deal data leaks come from people who already have legitimate access.
Based on our work with enterprise customers and analysis of incident reports across the M&A and fundraising industry, here are the six insider threat patterns we see most often, the warning signs security teams miss, and the controls that actually prevent leaks.
1. The Departing Employee
The most common insider threat pattern: an employee who is about to leave the company (resignation, termination, end of contract) copies sensitive documents before their access is revoked.
**How it happens:**
Employee accepts a role at a competitor or starts their own companyIn their final weeks, they systematically download or screenshot documents from the data roomThey use these documents to inform strategy, source clients, or build competing productsAccess is finally revoked on their last day — but the damage is done**Warning signs:**
Sudden spike in document downloads in the weeks before resignationAccess to documents outside the employee's normal scopeDownloads during off-hours or from unusual locationsUse of personal devices for access**Controls that work:**
Immediate access revocation on resignation notice (not last day)Download and printing restrictions with dynamic watermarkingReal-time alerts on bulk download activityRegular access reviews during the employee tenure2. The Curious Insider
Not malicious — just curious. The employee who reads documents they do not need for their job, often because the document is interesting or they want to be in the know.
**How it happens:**
Data rooms are organized by workstream but access is often broader than necessaryAn employee stumbles into a sensitive document (e.g., executive compensation, layoff plans, undisclosed financial issues) while looking for something elseThey share what they found with colleagues, sometimes innocentlyThe information spreads beyond the original deal team**Warning signs:**
Access to documents with no clear business purposeLong viewing sessions on documents outside the employee's roleQ&A activity in workstreams the employee is not assigned to**Controls that work:**
Principle of least privilege: give each user only the access they needClear data classification: tag documents by sensitivity and restrict accordinglyBehavioral analytics: flag unusual access patternsJust-in-time access: grant access only when needed, revoke after3. The Well-Intentioned Sharer
The employee who shares documents with colleagues or external parties because they think it will help — without understanding the access controls or sensitivity.
**How it happens:**
Employee downloads a document to work on it offlineThey share it via email, Slack, or personal cloud storage to collaborateThe document is now outside the VDR's security controlsSometimes the employee does not realize the document is sensitive; sometimes they do**Warning signs:**
Documents appearing in email or external storageWatermarks showing the user's identity on leaked documentsDownloads followed by access from new locations or devices**Controls that work:**
Disable download by default; require justification for download accessDynamic watermarks that identify the user on every pageDLP (Data Loss Prevention) tools that block sensitive content from leaving the VDRTraining on document handling and confidentiality4. The Compromised Account
The employee whose account credentials have been compromised through phishing, credential stuffing, or other means — and the attacker now has the same access as the employee.
**How it happens:**
Employee's credentials are phished through a targeted attackAttacker logs in as the employee and accesses the data roomAttacker downloads documents, escalates privileges, or moves laterallyThe employee may not realize their account is compromised for days or weeks**Warning signs:**
Logins from unusual locations or devicesActivity during off-hoursFailed login attempts followed by successful loginSudden changes in access patterns**Controls that work:**
Phishing-resistant MFA (FIDO2 hardware keys, not SMS)IP whitelisting to limit where logins can occurDevice binding: only pre-registered devices can access the VDRReal-time anomaly detection and alertingRegular credential rotation5. The Departed User's Lingering Access
The user whose access was not properly revoked when they left the organization — whether through a contractor, M&A advisor, or even an internal team member.
**How it happens:**
User completes their work on the deal and disengagesTheir VDR access is not revoked because no one tracks who is "active"Months later, the user (or someone who acquired their credentials) accesses the data roomDocuments from a long-completed deal are exfiltrated and used for new competitive purposes**Warning signs:**
Users with active access who have not logged in for 60+ daysUsers from completed deals or projects who are still in the data roomDeparted employee accounts that have not been deactivated**Controls that work:**
Time-limited access: VDR access automatically expires after 90 daysRegular access reviews: quarterly review of all active usersAutomatic deprovisioning: integrate VDR with HR systems for instant offboardingContractor management: explicit start and end dates for all external users6. The Third-Party with Excess Access
The external party (lawyer, accountant, consultant) who was granted broad access to facilitate their work — and who later uses that access for purposes beyond the original engagement.
**How it happens:**
External advisor is given broad access to support diligenceEngagement ends, but access is not revokedAdvisor moves to a new role (or new client) and uses the old accessDocuments from a prior deal inform strategy in a new engagement**Warning signs:**
External users with broad access to multiple workstreamsExternal users accessing documents after engagement endsExternal users sharing access with colleagues at their firm**Controls that work:**
Scoped access for external parties: limit to specific workstreamsNDA enforcement: track acceptance of NDAs as a precondition for accessTime-limited external access: auto-expire after engagement endsActivity monitoring: external access is logged and reviewedThe Common Thread
Notice what is missing from this list: external hackers, sophisticated nation-state attackers, ransomware gangs. Those exist, but they are not the primary threat. The primary threat is people who already have access — by design.
This is why the most effective insider threat controls are not exotic security tools. They are:
**The principle of least privilege**: give each user the minimum access they need**Time-limited access**: automatically expire access that is no longer needed**Behavioral monitoring**: detect unusual access patterns in real-time**Dynamic watermarking**: identify the source of any leaked document**Strong authentication**: phishing-resistant MFA on all accounts**Regular access reviews**: quarterly review of all active usersWhat VDR Providers Should Be Doing
A modern VDR should make these controls easy to implement:
**Granular permissions** at the user, group, folder, document, and page level**Time-based access expiration** that can be set per user or per group**Real-time alerts** on bulk downloads, unusual access patterns, and policy violations**Dynamic watermarking** with viewer identity, IP address, and timestamp**Phishing-resistant MFA** with FIDO2 hardware key support**SSO integration** with automatic user provisioning and deprovisioning**Comprehensive audit logs** that capture every access event for forensic analysis**IP whitelisting and device binding** for high-sensitivity transactionsWhat Deal Teams Should Be Doing
The VDR provides the controls, but the deal team has to use them:
**Apply the principle of least privilege** rigorously: every user should have the minimum access they need**Review user lists regularly**: at least monthly, remove anyone who does not need access**Use time-limited access for external parties**: every external user should have an explicit end date**Monitor alerts**: configure real-time alerts for bulk downloads and unusual access**Conduct security training**: ensure all deal participants understand the threats and the controls**Test your response**: run tabletop exercises for insider threat scenariosThe Bottom Line
The insider threat is the data leak that no one talks about — but it is the most common, the most preventable, and the most damaging. The good news is that the controls are well-understood and widely available. The challenge is the discipline to apply them consistently.
Deal teams that win in 2026 are the ones that treat insider threat prevention as a foundational security discipline — not a checkbox exercise. The VDR is a critical tool, but it is only as secure as the access controls and monitoring around it.
[Request a security review →](/demo) | [Read the VDR security FAQ →](/faq/vdr-security) | [See SpaceNexus security features →](/features/security-compliance)