Did you read the article?

With many companies still looking outward and only deploying protection at the perimeter, it's possible that many internal issues, between local domains, may not even have been picked up. If they were picked up then it may have been by a manual process inside the company (audit?) and not made known to the Verizon technologies deployed. Internal threats and issues tend to carry a greater possibility of reputaitonal damage, so if discovered internally they may have been hushed up?

which came first the chicken or the egg? common sense dictates that external breachs are many times the work of internal persons. after all it only makes sense to learn the system and then hack from the outside rather than internally. particularly if you have insiude info.

"I am going to have to rethink my long-held stance – originating in the 1980s – claiming that the bulk of the threats to information systems are internal."

I have worked in the industry for 15 years and let me tell you the internal sources are few but result in way more damage than the external ones.

Well don't you also want to focus the scientific lense of doubt on the Verizon study as well? In another section of the report regarding compromised data they state that the kind of forensics work they do skews the results. Internal investigations probably find the "evil insider" easier so no recourse to folks like Verizon.

Consider too the possibility that insider data breaches may be labeled as something else: theft, misuse of authority, data corruption, data destruction etc. "When an outsider attacks, it's a security incident; when a insider attacks, it's bad behavior."