When you hear “insider threat” what comes to mind? A rogue employee stealing files before quitting?
Think bigger, writes Heino Gevers, senior director of technical support at Mimecast. The reality is far more alarming.
Today’s insider threats aren’t lone wolves acting out of spite – they’re pawns in the hands of sophisticated, organised criminal networks. These groups don’t just exploit vulnerabilities in your systems; they exploit your people, turning trusted team members into unwitting accomplices or deliberate collaborators in their schemes.
Criminal networks are embedding operatives, coercing employees, and using cutting-edge tactics to infiltrate organisations from the inside. And South Africa is not immune to the growing trend.
A small number of employees can wreak massive damage
The State of Human Risk Report shows that in 2024, human risk surpassed technology gaps as the biggest cybersecurity challenge. Report findings highlight that 43% of surveyed organisations, including South African companies, have seen an increase in internal threats or data leaks initiated by compromised, careless, or negligent employees in the last 12 months. What’s more, 66% of organisations are concerned that data loss from insiders will increase in the next 12 months.
The report also shows that a small fraction of employees (8%) contribute disproportionately to security incidents (80% of incidents).
Today’s adversaries are grooming insiders and manipulating access from within. According to threat researchers, criminal ransomware groups like LockBit have attempted to bribe employees to install malware on company networks – often targeting employees in financial distress or those with elevated privileges.
Other attackers use psychological manipulation to compromise insiders without their full awareness. In the 2023 breach of MGM Resorts, members of the Scattered Spider group posed as IT support agents and used social engineering to convince an employee to reset credentials and unknowingly deploy malware. By mimicking trusted help desk procedures, the attackers bypassed technical controls and gained a foothold in the environment.
While the incidence of these threats remain comparatively low for now, South Africa is dealing with its own rising internal threat of ghost workers, who are costing employers and taxpayers billions each year.
These fictitious employees are generally added to the payroll through deliberate collusion between corrupt staff members and receive salaries without performing any work.
According to the The Public Servants Association (PSA), ghost workers are costing the country billions of rands annually. These incidents reflect a growing trend. External actors are no longer focused solely on breaching the perimeter. They are targeting people with access on the inside.
The recruitment playbook
Criminal networks use a variety of tactics to target insiders:
- Emotional manipulation: Social engineering isn’t just about tricking users into clicking phishing links, it’s also about exploiting psychological vulnerabilities to build relationships with potential accomplices.
- Anonymity tools: The Dark Web and encrypted messaging apps allow recruiters and insiders to communicate without fear of detection.
- Financial Incentives: In an era of economic uncertainty and wage stagnation, a six-figure payout for just clicking a link can be hard to resist.
- Blackmail and coercion: Stolen personal data is weaponised to threaten employees into compliance.
Unlike traditional phishing campaigns, these efforts are personalised, persistent, and, increasingly, professional. And because they often begin in seemingly legitimate digital spaces, like LinkedIn messages, freelance gig platforms, or job boards, they’re harder to spot.
Even organisations with solid security policies can find themselves blindsided. While vetting employees during hiring is necessary, it’s not sufficient. People’s circumstances change. So do their motivations. And traditional tools that flag risky behaviour often miss the slow, calculated actions that mark insider collaboration with organised crime.
Modern strategies to deter new insider threats
Traditional methods won’t cut it when faced with criminal networks that manipulate employees or infiltrate organisations. Businesses need to rethink their defenses, not just to prevent breaches but to anticipate and counter the complex tactics of modern adversaries. Here’s how organisations can take more proactive and effective steps to combat these threats:
- Shift from reactive to proactive monitoring – Behavioural analytics and user activity monitoring help establish a baseline for “normal” behaviour and identify deviations, such as unusual file access patterns or data exfiltration outside working hours. Catching these anomalies early can stop breaches before they occur.
- Protect the employees, not just the technology – Security teams need to shift from a purely infrastructure-focused strategy to a human-centric approach. In 2025, relying on one-off employee training leaves organisations exposed and creates dangerous blind spots. Addressing the human layer is now essential – and insider risk management must be core to the approach.
- Foster a culture of integrity and psychological safety – Employees are less likely to be tempted or coerced into malicious activity when they feel valued and supported. Security isn’t just a technical issue; it’s a cultural one. Create an environment where employees feel empowered to report suspicious activity, including recruitment attempts by external actors, without fear of retaliation. Make doing the right thing easier than doing the wrong thing.
- Reinforce Zero-Trust principles – No one should have unrestricted access to sensitive systems or data, regardless of their position or seniority. Regularly implement least privilege access, revalidate permissions, and verify every connection to ensure tight security controls are always in place.
- Have a dedicated ghost worker strategy – AI-powered monitoring can flag unusual access patterns, detect lateral movement, and automatically block attempts to alter or export sensitive records. By consolidating oversight into central dashboards, security teams can spot repeated high-risk behaviours, such as persistent access to personnel data, without drowning in manual checks. Integrating tools across payroll, HR, and security systems ensures stronger protection, closing the gaps criminal networks exploit.
Risk needs a rethink
It’s clear, the insider threat has evolved. And so must our defenses. Criminal networks are adapting quickly, and they’re betting that companies won’t keep pace. Let’s prove them wrong – not by treating employees as potential threats, but by making them our strongest line of defense.