Last year, cybersecurity firm CrowdStrike admitted an insider took screenshots of systems and shared them with Scattered Lapsus$ Hunters in exchange for cash.

The firm had a lucky escape, discovering the insider before they caused any damage. CrowdStrike identified and terminated the suspicious insider in October following an internal investigation that determined he shared pictures of his computer screen externally. “Our systems were never compromised and customers remained protected throughout,” a CrowdStrike spokesperson tells SC Media UK. “We have turned the case over to relevant law enforcement agencies.”

CrowdStrike is not the first company to experience a serious insider attack in recent years. In 2023, Tesla employees stole and sold personal data belonging to tens of thousands of the company’s staff, including social security numbers.

How big is the risk from insider threats and what can UK firms do to mitigate the impact?

The Lowdown On Insider Threats

There are two main types of insider threat: Malicious and negligent, says ThreatLocker CEO Danny Jenkins. The distinction is intent, he says. “Malicious insiders take deliberate criminal action like stealing data, selling access for financial gain, or sabotaging systems. Negligent insiders are well-intentioned employees who make mistakes like clicking on links in phishing emails.”

Insiders are often the access route for later high-impact cybersecurity incidents, such as ransomware or large data breaches, says Ollie Gower, managing director in the cybersecurity practice at FTI Consulting. “This threat is especially dangerous when companies only use traditional detection methods, as insiders already have legitimate access, making their malicious activity hard to detect.”

Malicious insider incidents are increasing in scale and scope, says Jenkins. He cites the example of the recent data breach at South Korean ecommerce platform Coupang, which saw a former employee retain access to a stolen key and use it to remotely download the personal information of millions of users.

At the same time, espionage-driven malicious insider activity is widespread and shows no sign of stopping. North Korean operatives posing as remote workers have infiltrated organisations globally, with hundreds of documented examples, including at cybersecurity companies, Jenkins points out.

Attractive Economics 

The growth of insider threats is partly being driven by economics of attackers recruiting employees. It  represents “a lower cost option” compared to other methods, says Spence Hutchinson, threat intelligence researcher at eSentire Labs. “When you harden your perimeter and endpoint security and roll out multi-factor authentication properly, the path of least resistance shifts over to people and their accounts.”

As companies strengthen their perimeter defences with the latest and most advanced security tools, they make it more difficult for malicious hackers to gain access to corporate systems, forcing them to seek alternative attack vectors, often by exploiting insider access, agrees Gower. 

Hutchinson cites eSentire Labs’ 2025 research, which showed valid credential access was the top vector for initial access to systems, accounting for 55% of all initial access – up from 37% the previous year. “That is a huge increase in use of this tactic, and a share will be due to insider threat,” says Hutchinson.

Tech Driven Threats

Another factor increasing the insider threat is technology. Artificial intelligence (AI) is making negligent insiders easier to exploit, says Oliver Newbury, chief strategy officer at Halcyon. “AI-driven phishing, deepfake voice calls, and realistic internal messages increase the chance that staff will be deceived or pressured into helping an attacker. At the same time, ransomware groups actively seek insider access because it shortens the path to impact. The line between external attack and insider threat is becoming increasingly blurred.”

Jenkins cites the example of UK engineering firm Arup, where an employee was tricked into transferring millions following deepfaked video calls with criminals impersonating senior leadership. “As AI improves, these threats will become more effective and easier to deploy.”

Due to the high level of sophistication, it is difficult for employees and providers to detect that they are dealing with a deepfake, says Gower. “Believing they are in contact with a trusted entity, often under a sense of urgency and authority bias that lowers their risk awareness, they may reveal sensitive information or facilitate access to unauthorised parties.”

In the coming years, the use of agentic AI will contribute to this increasing risk, says Rasika Somasiri, cybersecurity expert at PA Consulting. “Such systems interact with technology in a way that is very human-like, with the added complication that they can operate orders of magnitude faster.”

Mitigating Insider Threats

The threat from insiders is a growing challenge, but there are some steps firms can take to mitigate the risk. Organisations need to treat insider risk “as a routine part of security,” says Newbury. That means limiting access, removing access quickly when roles change, and paying attention to behaviour, rather than just technical alerts, he says.

The key to protecting against insider threats lies in identity security, which helps detect and prevent identity-driven breaches and incidents that bypass traditional security measures, says Gower. “Organisations should apply monitoring to employees and extend these controls to contractors and third-party suppliers, ensuring effective third-party risk management and reinforcing collaborators’ cyber culture and loyalty toward client security.”

To help catch fake employees, Hutchinson advises working with HR on hiring and screening processes. “Look out for any identity inconsistencies, such as checking educational credentials against alumni rosters and other positions. If someone has an employment history gap, ask about it sensitively, but thoroughly.”

Organisations need to adopt a layered approach to defence that combines technical and procedural security controls with good quality training and awareness, says Somasiri. Technical controls such as behavioural monitoring can highlight anomalous or undesirable behaviour on systems, while procedural controls help ensure that risks are “reduced and properly managed,” he says.

Governance is also important, according to Somasiri. “We frequently advise clients to work more collaboratively when planning for how to respond to insider threat, particularly across functions such as security, HR and compliance.”

A strong cybersecurity culture is essential, Gower adds. “Staff should be educated on how to identify and report suspicious activity as part of employee cybersecurity requirements. Organisations should establish strict security policies for both malicious and negligent insiders, clearly explaining the consequences of poor cybersecurity behaviour and failure to comply with security requirements and obligations.”

Kate O'Flaherty Cybersecurity and privacy journalist