The Unusual Suspects: The Insider 2020 The Insider comes in many guises: the disgruntled office worker, the blackmail victim in Accounts, the spy, the well-meaning innocent, or the small supplier with trusted access to your network.
The Insider may conduct their activities on purpose, through carelessness, or through outside influence falling for a scam or becoming the victim of blackmail, for example. This makes the Insider one of the hardest Suspects to anticipate and defend against. The Insider’s position within an organisation can mean they can do just as much damage as the most sophisticated piece of malware.


They might be part of your supply chain, a disillusioned current or former employee or contractor, or a victim of blackmail or hardship. Whatever their motivation, the Insider possesses the keys to the company’s castle, and the means to breach or bypass defences with ease. Insiders have a variety of motivations, and widely differing skills – and they may even be unaware of their involvement in a criminal enterprise. 
Insiders may be complicit in the actions of other cyber criminals, but equally can be victims of blackmail, extortion or other threats to ensure their involvement. They’re used to identify weaknesses in a company or organisation’s security, or provide a route in via their own credentials. 
Alternatively, Insiders may simply be a well-meaning individual trying to help what they think is a customer, colleague or partner out.


Insiders have a wide variety of motivations, ranging from greed, a political cause, or fear – or they may simply be naive. Regardless, the Insider serves as a key others can use to enter an organisation’s networks, giving them access to the inner workings of an organisation.
The subset of innocent enablers – the Well Intentioned Misguided Person (WIMP) – can be a significant danger to an organisation’s security. They’re often keen to help, expert at ‘getting things done’ and have a reputation within their organisation as the person others turn to to help solve tricky or seemingly insurmountable bureaucratic problems. 
Blinded by their sense of duty, a WIMP will gladly open back doors, exchange sensitive content, work on critical documents at home, accept all social media requests, take their laptop on holiday (just in case someone needs something) and use any available WiFi connection – all the type of actions that unwittingly leaves them and their entire organisation open to a possible cyber-attack or data loss incident.

Modus Operandi

From mailing valuable documents outside the company (or moving them on thumb drives, mobile phones or via network backdoors, through to handing over login credentials), the Insider can bypass carefully-erected security and access controls. Disgruntled Insiders can leave a trail of destruction behind them – adding malicious code to company software, encrypting valuable files, or changing system configurations.
Perhaps most worrying for organisations, according to a survey by the SANS institute, a third of respondents said they knew their organisation had suffered an insider attack – but that many went undetected. From the casual theft of Intellectual Property (IP) through to the creation of backdoors giving criminals access to an organisation’s data and resources, the Insider can be far more effective and efficient than the most sophisticated piece of malware.

Get in touch to speak with one of our experts, or download The Unusual Suspects Overview to find out more:

The Unusual Suspects Overview  Contact us


The Unusual Suspects overview

600.4 KB

12 Default Profile Image
Head of External Communications
Media Team
Digital Intelligence