Techniques for detecting suspicious file access requests indicative of potential insider threats are described. A suspicious access detection module (SADM) determines, based on access data describing a access requests issued on behalf of multiple users, groups of the users having similar patterns of accesses to folders, a set of the folders accessed by each of the user groups, and ones of the user groups that are to be considered nearby others of the user groups based on having a threshold amount of folder access similarities. The SADM causes an alert to be generated responsive to a determination that a subsequent access request is suspicious because it accesses a file of a folder that is not within the set of accessed folders of the issuing user's user group, and because the folder is not within the sets of accessed folders of any nearby user groups.