Usually, the most efficient route into an organisation isn’t through the firewall. As firms pour investment into perimeter defences and external threat detection, the threat from inside the organisation is quietly rising. Recent research shows both malicious and negligent insider incidents are rising equally fast.
But the figures alone don’t capture how brazen the threat has become. The Medusa ransomware gang’s attempt to recruit BBC cyber correspondent Joe Tidy in 2025, offering escalating cuts of a ransom, shows adversaries are willing to target almost anyone if they are positioned to bypass technical defences.
Legitimate access makes these threats uniquely difficult to combat. There’s no evidence of forced entry or an unfamiliar face in the system raising alarms. Instead, the challenge for organisations is distinguishing between normal activity and something more sinister.
At the same time the motivations behind insider threats vary widely. Some might be acting for financial gain, out of grievance or driven by ideology. Others could be drawn in through blackmail, coercion or social engineering, often without fully understanding the consequences. And there are always unwitting insiders; people taking convenient but unsecure shortcuts, those who act irresponsibly or employees who simply are not trained well enough to recognise risk.
Ultimately the consequences are the same: a leaked file is still leaked whether through malice or mistake. But understanding that spectrum, and how adversaries exploit it, can help build defences. To start, how do attackers identify targets? Social media sites like LinkedIn, through its publicly visible job titles, reporting lines and organisational structures, allow adversaries to identify and approach potential targets, all free of charge.
The same visibility extends to an organisation’s supply chain. Suppliers, contractors and partners often have trusted access to their customers’ systems, data or operational processes. That makes their employees, accounts and credentials attractive targets for insider threat and social engineering campaigns, with the potential for compromise to cascade across a wider customer ecosystem.
Countering insider threats starts by recognising that the responsibility isn’t cyber security teams’ alone. Human, behavioural and organisational challenges all need to be overcome, meaning shared responsibility across security, HR, legal, compliance, leadership and line management.
The security profession’s role is not just to detect and defend against insider threats, but to help broaden ownership across the business. Professional standards, education programmes and communication are the mechanisms for building a culture where people are supported, aware and harder to target. The cracks show before the wall breaks, and organisations need to get better at recognising the behavioural shifts and warning signs that precede insider incidents. Missing a mortgage payment, a promotion that never came, a growing sense of being unfairly overlooked – these are the kinds of pressures that quietly shift someone’s relationship with their employer. And they generate the kinds of signals organisations need to learn to read.
CIISec’s member resources and Need to Know Guides can give practitioners at any level the tools to start building this kind of awareness into their organisations, with accessible resources and development pathways that don’t require years of experience to engage with. The profession cannot firewall its way out of insider risk, because technical controls only go so far when the threat already has a key to the front door and a login. Protecting people will help to harden your organisation against insider threats by making employees more difficult for cybercriminals to find, target and recruit. Building a caring, empathetic, educated cyber culture is a defensive strategy in its own right.
