Internal access, external threat

Rob Juncker at Mimecast describes how criminals manipulate insider gaps

 

The term “insider threat” often evokes the image of a disgruntled employee stealing files on their way out the door. However, today’s reality is far more complex – and more dangerous. These groups don’t just exploit a company’s technical vulnerabilities; they seek human weakness, turning trusted employees into either unwitting accomplices or deliberate collaborators.

 

For security leaders, the challenge is clear and urgent: adversaries are embedding agents, coercing insiders, and deploying sophisticated tactics to breach organisations from within. Combating the new breed of insider threat demands vigilance, adaptability, and a far deeper understanding of the human factor in security.

 

Uncovering insider-driven threats

Today’s adversaries are grooming insiders and manipulating access from within. US officials recently uncovered a large-scale campaign in which North Korean IT workers posed as remote contractors to gain employment at hundreds of US technology companies, including Fortune 500 firms. Using stolen identities, fabricated credentials, and AI-generated profile photos, these operatives were able to infiltrate corporate environments and funnel millions of dollars in earnings back to fund North Korea’s weapons programs.

 

This IT worker scam started several years ago, but has only increased globally, with countries like Germany, Portugal, and the UK as newer targets, according to Google Threat Intelligence Group (GTIG) researchers.

 

Criminal ransomware groups are also targeting insiders directly. According to threat researchers, gangs like LockBit, and more recently the lesser-known DoNex, have attempted to bribe employees to install malware on company networks. These offers often appear through anonymous messages, direct notifications during ransomware attacks, or Dark Web forums, targeting employees in financial distress or those with elevated privileges.

 

Other attackers use psychological manipulation to compromise insiders without their full awareness. In the 2023 breach of MGM Resorts, members of the Scattered Spider group posed as IT support agents and used social engineering to convince an employee to reset credentials and unknowingly deploy malware. By mimicking trusted help desk procedures, the attackers bypassed technical controls and gained a foothold in the environment.

These incidents reflect a growing trend.

 

External actors are no longer focused solely on breaching the perimeter. They are targeting people with access on the inside.

 

Key recruitment guidelines

Criminal networks use a variety of tactics to target insiders: 

• Financial incentives: In an era of economic uncertainty and wage stagnation, a six-figure payout for just clicking a link can be hard to resist.
• Blackmail and coercion: Stolen personal data is weaponised to threaten employees into compliance.
• Anonymity tools: The Dark Web and encrypted messaging apps allow recruiters and insiders to communicate without fear of detection.
• Emotional manipulation: Social engineering isn’t just about tricking users into clicking phishing links; it’s also about exploiting psychological vulnerabilities to build relationships with potential accomplices. 

Unlike traditional phishing campaigns, these efforts are personalised, persistent, and, increasingly, professional. And because they often begin in seemingly legitimate digital spaces, like LinkedIn messages, freelance gig platforms, or job boards, they’re harder to spot.

 

Even organisations with solid security policies can find themselves blindsided. While vetting employees during hiring is necessary, it’s not sufficient. People’s circumstances change. So do their motivations. And traditional tools that flag risky behaviour often miss the slow, calculated actions that mark insider collaboration with organised crime.

 

Evolving defences against the modern insider threat

Traditional methods won’t cut it when faced with criminal networks that manipulate employees or infiltrate organisations. Behavioural analytics and user activity monitoring help establish a baseline for "normal" behaviour and identify deviations, such as unusual file access patterns or data exfiltration outside working hours. Catching these anomalies early can stop breaches before they occur.

 

Security teams should also move away from focusing solely on device-based policies and instead prioritise understanding the value of data. A 10KB file containing proprietary source code can be more damaging than a 10GB video. High-value, unstructured data like product designs or trade secrets requires stronger control and visibility.

 

Culture is equally critical. Employees are less likely to be tempted or coerced into malicious activity when they feel valued and supported. Creating an environment where employees feel empowered to report suspicious activity is just as important as the technology that monitors for threats. Zero trust principles, with their emphasis on continuous verification and least privilege, can help limit the damage if an insider is compromised.

 

Collaboration beyond the company walls is essential too. Sharing intelligence with industry peers, security communities, and law enforcement can uncover recruitment patterns and disrupt criminal activity before it reaches your doorstep.

 

Equally, organisations must be willing to turn the lens inward. That means examining exactly who has access to the most sensitive information, questioning whether those access levels are still justified, and ensuring that employees understand the very real tactics criminals use to target insiders. It also means creating a workplace where reporting a suspicious approach is both safe and encouraged. Self-assessment can be uncomfortable, but it is essential to building a security posture capable of outpacing adversaries.

 

The path forward

Insider threats have transformed from isolated acts of misconduct into coordinated campaigns by sophisticated, well-resourced networks. Criminals are betting that companies won’t keep pace. Let’s prove them wrong – not by treating employees as potential threats, but by making them our strongest line of defence.

 

---

 

Rob Juncker is Chief Product Officer at Mimecast

 

Main image courtesy of iStockPhoto.com and Cristian Storto Fotografia