There are two broad categories of insider threats. One involves malicious insiders, who make a conscious decision to deliberately cause harm to an organization. The second involves accidental or negligent insider threats, which derive from individuals who are manipulated to undo security practices or allow breaches through the improper handling of data, systems and networks.

"We adopted and leveraged our technology without fully being prepared for all the risks," Chris Coleman, CEO at the Baltimore, Md.-based Lookingglass Cyber Solutions, said. "The threat has always been there, the difference is the adversaries have become much more aggressive in trying to take advantage of these things because our society and economic base has grown to depend on electronic communication."

One concern is that most of the victimized organizations have had next generation firewalls and advanced malware detectors in place, and yet they were still breached, Feris Rifai, founder and CEO for the San Francisco, Calif.-based Bay Dynamics, explained.

"Now [cyberthieves] are looking at real user behavior, they are looking at how that user interacts with the company's information on the inside," Rifai said.

While all industries are being targeted with malicious messages, the Sunnyvale, Calif.-based Proofpoint revealed in its report "The Human Factor 2015" that banking and finance is the most frequently targeted industry, receiving 41% of malicious messages.

The good news is that organizations are starting to recognize the importance of protecting against insider threats, but unfortunately, smaller organizations struggle to develop provisions for responding to them, experts said.

Social engineering is not a new method of fraud – the Depression-era bank thief John Dillinger succeeded at his sophisticated schemes, which ranged from posing as a bank alarm system salesman to pretending to film a bank robbery scene in order to stake out potential bank targets. Today the schemes have changed, but the goal is the same: Get to the money.

Proofpoint's report said in 2014, widespread user edification led to heightened awareness of the phishing threat and allowed personnel to recognize the most common scams, such as social media invites, and become more wary of unsolicited message. The result was a 94% year-over-year decrease in the effectiveness of social media invitation email lures.

In response, however, 2014 was the year attackers "went corporate," making explicit shifts in their approach to exploit middle management and exfiltrate cash. By the end of 2014, cybercriminals were targeting subtly different user populations and employing tactics that looked very different from what users and automated defenses had learned to recognize.

According to Proofpoint, there have been significant increases in the use of email attachments, and attacks that mix high-volume, long-line campaigns with strategic web compromises, attachment-based campaigns, and corporate communication and financial email lures.

Organizations' inability to detect and respond to these threats is providing them with fuel, Rifai suggested.

"One of the main problems is that the attacks are moving away from malware and to just stealing credentials," he said.

Read more: The Dyre Wolf scheme is an example of a hybrid attack …

For example, in April, IBM revealed The Dyre Wolf scheme, a sophisticated bank funds transfer scheme that used a mixture of phishing, malware and phone calls to appropriate large sums of money from U.S. companies. The Dyre Wolf campaign remained undetected by the majority of anti-virus products.

In the old days, criminals would utilize malware attacks to complete the entire process. But in 2015, criminals are completing at least a portion of their attacks manually, Eward Driehuis, product manager of cyber intelligence for the Amsterdam, Netherlands-based Fox-IT, explained.

"We're calling that the hybrid approach, which involves social engineering," Driehuis said. "Dyre is an example of a hybrid attack."

The actual stealing of the money is still a manual process. During each theft, criminals open up a browser, start a transaction and sign the transaction using stolen credentials. Driehuis said he believes manual attacks result in fewer losses than automated ones do, but criminals maintain a higher success rate using stolen credentials.

"You have to be proactive and understand who you are communicating with on the Internet, what kind of risk those communications have and whether you are communicating with an entity that could target your environment," Coleman said.

Despite the known risks, financial institution employees still click on sketchy links, with one out of every 25 individuals succumbing to the bait, according to Proofpoint.

"Every department and industry is still at risk (though financial industries and sales and marketing continue to be the top target areas); and attackers continue to shift tactics to play on human weaknesses as they siphon money and data from organizations," the report stated. No organization observed by Proofpoint was able to eliminate malicious link clicks.

Security is not a one-person problem, Ron Gula, CEO for the Columbia, MD-based Tenable Network Security, suggested.

"The Internet and IT in general is so complex, it is kind of difficult for one human or humans to understand where your biggest risks are at," Gula said. "When you add that up, you have what you have today – lots of compromises, lots of breach disclosures, lots of people wondering what it means to be secure."

Coleman added that every financial institution is at risk, even the smaller ones.

"Low hanging fruit is a target of opportunity," he said. "Everybody is a target and you have to wake up each day to make sure you are doing the best you can to defend your constituents and their funds. We need to get back to how as an enterprise, whether it be a credit union, a small bank, a large bank or a government, we can best put our technology together with the people to make them very efficient at doing their jobs. You cannot rely on technology alone to solve this problem."

The voracity and impacts of attacks have become so bad in the last two years that organizations don't even care about being compliant – they just want security, Gula pointed out. On a positive note, many organizations have implemented vulnerability and patch management, as well as penetration testing.

Gula advised credit unions to look at continuous network monitoring as the best bang for their buck.

"Chances are, they've invested in some security technology, antivirus software and sandboxes, but those technologies were not designed to work together," Gula emphasized. "Unless you holistically look at your whole network, you are not going to figure out where your risks are. That is what network monitoring is about."

He added that the information security environment is a challenging one these days.

"With new and increasing threats every day, staying ahead of risks can feel like treading water," he said. "There's always a new vulnerability to address, a patch to apply, security tools to research and defenses to update. But being defensive is not a sound security plan. It's imperative to be strategic and get ahead of attackers."

Because they perceive insider threats as a "people" problem, many organizations rely heavily on administrative solutions such as policies and procedures to deal with the problem, but the SANS report suggested that in order for a solution to be effective, it must integrate people, processes and technologies.