This type of statement has become law in the security community, but I feel its slightly misleading to the uneducated. The insider is only the biggest threat because security has been applied to the perimeter in a massively disproportional amount to whats applied internally. Security is often not as rigourous on the inside because it often impedes a companies business operations. Its much easier for companies to dump millions on firewalls and VPNs, then to spend much less on systems that your going to buy anyway with better access control. Its also much cheaper to enforce stricter policies on its users, but it will still come at the cost of potentially slowing down the business. For instance compare the cost of buying a brand new pair of enterprise class firewalls to the cost of buying more drive space for retention and aggregation of logs or turning up a tighter password policy on your network. I think the simple fact of the matter is that, if companies spent more money on internal controls and small amounts on perimeter controls, we would have a different story. Which is the bigger threat, unrestricted access for any an all outsiders or unrestricted access to employees?