Truly malicious internal threats can often be treated much like external threats using the tools and backups already in place. But how does a firm proactively identify the softer threats — which may be just as dangerous as the malicious threats and can cripple a firm just as effectively?