In today’s digital landscape, the most dangerous cybersecurity threats aren’t always sophisticated hackers in hoodies writing malware in the dark. Sometimes, they’re employees or contractors who already have legitimate access. They may not even realize they’re part of the problem. Insider threats, malicious or unintentional, are increasingly becoming the easiest path into an organization’s network.
On Episode 150 of the Reimagining Cyber podcast, host Ben welcomed back Tyler Moffitt, Senior Security Analyst at OpenText Cybersecurity, to explore the complex and growing issue of insider threats. From third-party vendor risks to phishing schemes and ransomware partnerships, this conversation highlighted why insider threats must be a top concern for every organization.
Breaking down insider threats
Tyler began by categorizing insider threats into two key types:
Malicious insiders – These individuals knowingly exploit their access for personal gain or revenge. Whether disgruntled employees, collaborators with threat actors, or simply susceptible to bribery, their insider knowledge can make them extremely dangerous.
Unintentional insiders – Far more common, these are employees or contractors who fall victim to phishing, social engineering, or other manipulative tactics. They may unknowingly click malicious links, give up credentials, or fall for voice phishing (“vishing”) scams.
While both types are damaging, unintentional insider threats are easier to scale through social engineering campaigns and represent a broader risk surface.
Case study: Coinbase and the price of access
A chilling real-world example came from a recent breach at Coinbase, the popular cryptocurrency exchange. The attack was facilitated through a third-party contractor at an outsourced call center. Cybercriminals impersonated internal IT staff, contacted the contractor via a vishing campaign, and bribed them to gain access internal systems.
The result? Criminals exfiltrated sensitive customer data and targeted those individuals with phishing campaigns, successfully defrauding them of cryptocurrency.
However, the company’s response makes the Coinbase case particularly notable. Instead of quietly paying off the attackers to keep the breach under wraps, Coinbase went public, disclosed the breach, and offered a $20 million bounty for information leading to the perpetrators. Even more impressively, they committed to reimbursing affected customers—an unusual and commendable move in the often murky world of crypto.
This breach affected internal operations and highlighted serious risks in third-party vendor management. As Tyler points out, even if your company maintains rigorous security controls, you’re only as secure as your least secure partner. Your entire infrastructure could be compromised if a contractor can be bribed or tricked into granting access.
Scattered Spider: Masters of social engineering
If Coinbase illustrates the risk of malicious insiders, the UK-based retail breaches show how unintentional insiders can be just as dangerous.
Retail giants like Marks & Spencer, Co-Op, and Harrods recently suffered outages and data exposure linked to a notorious cybercriminal group known as Scattered Spider (Octo Tempest or UNC3944). This group specializes in social engineering. It tricks internal employees—often native English speakers—into giving up credentials or resetting multi-factor authentication (MFA), which allows further infiltration.
Tyler explains that these groups act as “access brokers,” working within a broader ransomware economy. Once they’ve gained access, they sell it to ransomware affiliates, who then deploy the actual payloads and extort companies for millions. It’s a well-oiled criminal operation, and companies worldwide struggle to keep up.
Marks & Spencer, for instance, has been battling system issues for over a month following the breach. It continues to struggle with online orders, contactless payments, and even inventory shortages. The Co-Op took a more decisive approach by shutting down its systems early to cut off the attack, preventing deeper damage.
Which insider threat is worse: Malicious or unintentional?
Tyler’s answer is clearly unintentional insiders represent the bigger threat. Why? Because malicious insiders, while severe, are limited in scale. Bribing or turning an employee takes effort and coordination. But unintentional insiders? They’re everywhere, and they’re vulnerable. With phishing and social engineering attacks, threat actors can target thousands at once, hoping that even a small percentage will fall for it.
And with AI now empowering scammers to create deepfake voices, realistic spoofed emails, and convincing fake Slack messages, it’s getting harder for employees to detect fraud.
Remote work adds fuel to the fire
Remote and hybrid work environments, which have become the norm since the pandemic, further complicate the insider threat landscape. Verifying identities and intentions is more challenging when employees aren’t physically present. Tyler notes that the decentralized nature of remote work makes impersonation schemes more plausible and successful.
Defending against insider threats
Despite the doom and gloom, there are practical defenses organizations can deploy. Tyler emphasizes the importance of layered security, including:
- Zero-trust mindset: Don’t assume that just because someone is inside the network, they’re trustworthy. Validate everything, especially identity and access.
- Least privilege access: Only give employees and contractors the minimal level of access necessary for their roles. Implement secure escalation protocols for sensitive actions like MFA resets.
- MFA hardening: Require multiple levels of identity verification, especially for support or admin-level users. Video verification and secure PINs can provide additional safeguards.
- Behavior analytics: Monitor user behavior to detect anomalies, such as logins at odd hours or unusual system access patterns.
- Training: Regularly educate all employees, especially those in support roles, on recognizing phishing, social engineering attempts, and internal impersonation scams.
- Vendor security: Vet your third-party vendors thoroughly. Ensure their security standards match yours, especially if they handle customer data or sensitive internal systems.
The insider threat will grow
As cybercriminals become more creative and organizations become more distributed, the insider threat will only grow. Whether it’s a bribed contractor or a tricked help desk agent, people have become the new perimeter—and that perimeter is fragile.
The solution? Invest in people-first security strategies, harden your identity controls, and never underestimate the importance of awareness and training. In the world of cybersecurity, trust must be earned continuously.
As Tyler put it, “Identity is the new perimeter.”
Listen to this latest episode of Cybersecurity Reimagined on your favorite podcast app including Apple, Spotify, Buzzsprout or any other major platform. You can also listen to any of our previous episodes on demand.
