What IS surprising ...
> The report says staff can cause more damage to organisations than external attackers.
... is how little abuse there is.
Given that any sysadmin worth his / her / its salt can do pretty much anything and not be detected, or that they can hack the detection to cover their tracks, why is there so little advantage taken of this ultimate power?
Apart from the oh-so-boring opportunities to sell state secrets to the baddies (or to give them away to the good guys, depending where you work), almost all the naughtiness we experience is some twerp somewhere selling lists of email addresses for the price of a beer.
Where's the wholesale reading of the CEO's email to warn of future restructuring
Where's the "checking" of the finance department's databases for insider trading gains?
Where's the planting of nasty pictures on the boss's computer to get the promotion when they are arrested and jailed?
How come so few disaffected fire-ees don't "take out" that one single, critical machine when they are let go?
Surely someone must have considered adjusting their HR file to improve their company image?
I don't believe that every instance of IT badness gets discovered, fixed and the perpetrator then gets kicked out without a fight. Apart from anything else, some industries are legally obliged to report incidents of fraud. So are we really such an honest lot, that everyone plays nicely. Are we all so afraid of being caught, that even thinking of stepping out of line makes us break out in a sweat. Are we all so good at doing these things that none are ever caught and sanctioned.
I find all of those possibilities equally implausible. So the only alternative (almost as unlikely) is that we're all quite happy with our lot and don't seek additional gain, promotion, revenge or professional advantage. That would surely make IT the most honest group of professionals in the world.