People are often described as one of the biggest security threats to any organization. At first glance, it would be hard to argue with such a sweeping statement.
Whether the result of malice or negligence, the ‘human element’ featured in around 60% of data breaches over the past year, according to Verizon. A recent spate of attacks targeting corporate Salesforce instances highlights the evolving nature of the social engineering threat – and just what’s at stake.
The challenge for CISOs is that insider risk is not just about negligence. Those intent on wrongdoing are usually harder to spot and exact a much heavier toll on their employer. To coincide with International Insider Threat Awareness Month, we take a look at what CISOs can do to push back the tide.
Insider Risk Management Challenges
Poor security practice is a significant part of the insider risk management challenge. Verizon claims credential abuse (22%) and phishing (16%) were among the top three initial access vectors for breaches over the past year.
A recent Proofpoint Voice of the CISO report chimes with these findings. Some 60% of CISO respondents claimed staff are their greatest corporate cybersecurity risk – the number one cited response. Nearly a third of UK organizations (30%) still lack dedicated insider risk resources, it warns.
However, the risk from malicious insiders is not to be underestimated. A 2024 Cybersecurity Insiders report revealed that the share of organizations reporting no insider “attacks” fell to 17%, from 40% annually previously. The number experiencing 6-10 attacks nearly doubled from 13% to 25%, while those reporting 11-20 attacks saw a surge from 4% to 21%.
This could be an expensive trend for corporates. Malicious insider attacks result in the highest average data breach costs: $4.9m versus $4.4m, according to IBM research. A separate report from DTEX used slightly different criteria, and estimated the total cost of insider security incidents at $17.4m – up 7% from 2023. The rise is explained mainly by increased spend on containment and incident response.
How to Identify an Insider Threat
The challenge for CISOs is that AI technology is empowering even low-skilled threat actors to create and deploy large-scale and highly convincing social engineering campaigns. The National Cyber Security Centre (NCSC) warned as much in its latest report. On the other hand, a new breed of English-speaking threat actors – usually referred to as members of ShinyHunters, Lapsus$ or Scattered Spider – are causing havoc with more targeted efforts.
Recent incidents involving Salesforce exploitation are typical of these types of attacks. The threat actors call their victims pretending to be from the IT helpdesk. They trick the end user into handing over their Salesforce credentials and MFA tokens or adding a malicious version of Salesforce’s Data Loader app, which they use to access customer data troves. Even Google was caught out this way.
When insider risk stems from more deliberate acts, it’s often driven by financial motivation or retribution. Proofpoint’s study claimed that 86% of CISO who experienced data loss over the past year did so due to departing employees, up from 69% 12 months ago. That’s despite near universal adoption of data loss prevention (DLP) technology.
Separately, Bridewell claimed in a 2023 study that the number of employee sabotage incidents at critical infrastructure (CNI) firms surged by 62% annually. That suggests OT systems are also at risk. Over a third of respondents suspected the cost-of-living crisis could be a factor. Half of respondents to a CyberSmart poll came to similar conclusions.
The risk is certainly becoming more complex. Microsoft warned that North Korean IT workers dubbed “Jasper Sleet” (Storm-0287) have been trying to gain employment at US companies since at least 2020. Using stolen identities, deepfake technology and fake GitHub/LinkedIn profiles, many have succeeded.
“Facilitators play a crucial role in validating fraudulent identities and managing logistics, such as forwarding company hardware and creating accounts on freelance job websites,” Microsoft explained. “To evade detection, these workers use VPNs, virtual private servers (VPSs), and proxy services as well as RMM tools to connect to a device housed at a facilitator’s laptop farm located in the country of the job.”
The risk for victim organizations is not just that the salary they pay goes to fund North Korea’s missiles program. It’s that, with privileged access, the fraudulent IT workers can steal data and extort their employer. Hundreds of companies have already fallen victim, with experts warning Europe could be the next target. Microsoft alone suspended 3000 Outlook/Hotmail accounts linked to the schemes.
Visibility and Control
"Insider threats are no longer a slow-burn risk – they’re the front line of data loss,” warned Matt Cooke, EMEA cybersecurity strategist at Proofpoint. "Advances in cloud, remote work, and now generative AI mean sensitive data can leave the business faster and more easily than ever – whether through negligence, malice, or even covert infiltration.”
The good news is CISOs don't need to break the bank to improve oversight – at least, of OT assets, argued Rik Ferguson, VP of threat intelligence at Forescout.
“Use the telemetry you already collect, baseline by asset and role, remove standing privilege with just-in-time access on jump hosts, and record sessions for safety-impacting work,” he advised. “Also, segment by function with strict allow-lists, block obvious exfiltration paths such as USB on OT assets and clipboard on bastions. Seed a few canaries to catch curiosity.”
Ferguson also told Infosecurity that Zero Trust should become “operational habit” for teams. With enhanced visibility of systems and the removal of “standing trust,” suspicious behavior becomes easier to spot.
“Use OT-aware solutions/detections to pick up things like firmware loads, logic downloads, mode changes, and bulk historian reads. Verify third parties and remote workers properly and set a culture that rewards refusal when requests clash with process,” he continued. “Measure analyst experience as a success metric, reduce noise, enrich with context, and automate the drudge so humans can investigate.”
Bridewell head of global data privacy, Chris Linnell, also believes effective insider risk mitigation doesn’t need to be financially overwhelming, as existing IT solutions can often be used. CISOs should check licensing agreements, he advised.
“Take Microsoft, for example – many customers are underutilizing their E3 and E5 subscriptions and failing to take advantage of the data security toolkit available under the Microsoft Purview umbrella,” Linnell argued.
“Once you have the capability from a tooling perspective, understanding the unique threats facing your organization is key. This ensures that any data loss prevention or insider risk management strategy you deploy is proportionate, focused on the most pertinent risks, and therefore efficient and cost-effective.”
Beyond Technology
However, technology is only one piece of the puzzle, Linnell said.
“You will need to establish an operating model and ensure you have the right people in place to handle alerts that are generated. You also need to define the process – what happens when you identify a true positive? How is it triaged and investigated? Do you have a formal disciplinary process?” he says. “If personal data is implicated, how does this tie into your breach procedure? Do you need to involve the data protection team?”
Proofpoint’s Cooke added that employee privacy must also be respected when building insider risk strategy.
“In 2025, mitigating insider risk means more than awareness training,” he concludes. “Identifying risky users with comprehensive governance and applying controls that are built with privacy-by-design is the only way to close the gap between confidence and capability."
That capability will need to adapt rapidly as technology advances. If the prospect of malicious AI agents isn’t causing CISOs sleepless nights just yet, it soon might be.
Conclusion
Insider threats remain one of the most persistent and complex challenges in cybersecurity. While negligence continues to play a major role, through poor credential hygiene and susceptibility to phishing, the rise in malicious insider activity demands a more proactive and strategic response.
As attacks grow in frequency and sophistication, CISOs must prioritize insider risk management by investing in dedicated resources, enhancing visibility and implementing robust access controls.
With International Insider Threat Awareness Month as a timely reminder, now is the moment to assess your defenses and ensure your organization is equipped to detect, deter and respond to threats from within.