Insider threats continue to have organisations on high alert, affecting over 34% of businesses globally every year, a financial services firm says.
Heligan Group said that 66% of companies recently surveyed believed insider attacks to be more likely than an external attack.
The threat from insiders can broadly be categorised into unintentional and intentional, it added. A malicious insider falls into the latter category, which can be anyone with legitimate access to an organisation's assets who exploits their position for unauthorised purposes. The risk comes from not just employees but also contractors, partners and suppliers.
The British Museum was plagued by an insider cyber-attack in January, where a dismissed IT contractor entered and deactivated core IT systems. X also suffered a mass data leak in April, exposing user data for more than 2.8 billion accounts, which was the work of an alleged ex-employee who stole data during a period of redundancies.
Will Ashford Brown, Director of Strategic Insights at Heligan Group, said:
“The majority of insider breaches are not malicious but are a result of staff performing their jobs, but taking shortcuts to be more efficient. Ironically, this is mainly due to restrictive security measures to protect against the threat of compromise. A classic example is a member of staff who writes all their passwords on a post-it note under their keyboard or at the back of their notebook because IT policy means they must enter a separate, complex, 14-character-long password to access each of the various systems they need to do their job.”
Organisations must therefore distinguish between staff who adopt insecure workarounds because security policies conflict with business requirements and staff who are genuinely malicious insiders. The mitigations need to be different based on the threat, but both are real insider threat challenges.
“As organisations implement increasingly sophisticated physical and cyber security measures to protect their assets from external threats, the recruitment of insiders becomes a more attractive option for those attempting to gain access”, added Will.
“If this is sponsored or directed by foreign state actors, then there is a strong chance that the incident would fall under the UK’s relatively new National Security Act 2023, which governs the nation’s response to acts of espionage, including commercial espionage.”
The UK currently has multiple government departments and agencies combating insider threats and actively working on mitigations. The NPSA (National Protective Security Authority) stands out from the crowd, producing a comprehensive framework for mitigating the insider threat based on research in physical security processes, behavioural science and critical infrastructure protection, said Heligan Group.
Will continued:
“While following a framework like the NPSA’s doesn’t guarantee fail-safe security from the threat of malicious or unwitting insider activity, it does provide a far greater depth of protection and fosters a strong security culture and a sense of ownership and responsibility for acting against insider threats.
“UK organisations must ensure that their offboarding processes are watertight, as those responsible for insider threats will know their systems inside and out. Disgruntled employees will be aware of every loophole available and must have their access revoked as soon as their employment has been terminated. Insider cyber threats have continued to surface in 2025, and organisations have to be on guard.”
