Cybersecurity threats often conjure images of sophisticated hackers from foreign nations working tirelessly to breach systems.
But some of the biggest risks can come from the inside. According to businesses surveyed for Kordia's NZ Business Cyber Security Report 2025, 14% of all cyber-attacks and incidents were caused by an internal actor. However, this number could be much higher.
Employees, contractors, and trusted insiders have direct access to critical systems that external attackers would spend months, even years, trying to infiltrate.
This reality makes insider threats one of the most overlooked yet devastating risks in cyber security.
Directors need to understand this risk and what goes into mitigating it.
Cyber security can’t be seen as an isolated challenge that can be solved by ensuring external defences are in place. Robust cyber security extends right through to company culture and the wellbeing of employees.
In the end it’s all about trust. Have you built a workplace where you can trust your employees? If not, will your customers really trust a business with their data if its own staff was the cause of a significant breach?
Despite the escalating severity of cybercrime, many organisations invest heavily in external protections while failing to address the internal threat, leaving their most sensitive systems exposed.
Insider threats fall into two categories: accidental and malicious.
The two faces of insider threats
Accidental insider threats arise when employees unknowingly compromise security due to mistakes, fatigue, or lack of cyber security awareness. A single misdirected email, improperly shared document, or phishing scam can expose sensitive data, often with catastrophic consequences.
These errors are preventable, but only with proactive communications, strong security policies, and ongoing trainings. Cyber security training cannot be a tick-box exercise; it must be woven into company culture.
Malicious insider threats, on the other hand, are deliberate and far more dangerous.
These threats arise when trusted employees or contractors intentionally abuse their access to harm the organisation. Motivations for these attacks can vary, whether out of resentment, financial motivation, or coercion by external actors.
Employees can steal sensitive data, disrupt operations, or sabotage systems, often without immediate detection as they have legitimate credentials and access to the systems in use.
Unlike accidental breaches, these threats are deliberate and calculated.
Why do insider attacks happen?
For external hackers, the hardest part of any breach is gaining access. Insiders, however, already have it.
While cybercriminals may bribe or coerce employees into committing breaches, the more common threat comes from disgruntled staff members acting out of frustration whether over a pay dispute, job loss, or workplace dissatisfaction.
It’s easy to assume ‘that would never happen here’ but it happens everywhere.
We only need to look at examples such as the San Francisco bank breach where a disgruntled cloud engineer was sentenced to two years in prison for intentionally damaging his former employer’s computer network after he was fired.
The day he was fired, the staffer used his company-issued laptop to illegally access the bank’s network, wreaking havoc he wiped code repositories, executed a malicious script to erase logs, teased former colleagues within the bank’s code, and impersonated employees by opening sessions in their names.
Tips to preventing insider threats:
Business leaders must ensure they are responsible for taking proactive measures to mitigate these risks.
This starts by recognising the extended value of building a strong workplace culture (and the strategic spend that goes into this). While culture related productivity increases are often top of mind, the impact on security isn’t often factored in.
It’s also important to ensure your executive team understand the associated risks.
What processes are in place to discover disgruntled staff? How are these situations managed to help ensure a positive outcome?
Are there limitations on ‘God level access’ when one employee or contractor has complete control over an organisation’s systems? What checks and balances are in place for individuals that have this level of access?
The threat becomes even more difficult to neutralise when it comes from outside your organisation. External contractors and partners can pose insider risks if their access isn’t carefully managed. This is particularly dangerous for smaller businesses that completely outsource their IT.
Executives need to rigorously vet external providers, restrict access to essential systems, and implement continuous monitoring for suspicious activity. It is the Board’s responsibility to require clear reporting on third-party cyber security risks and ensure contracts explicitly define security expectations.
Cyber security strategies often focus on preventing external attacks, but insider threats remain one of the most dangerous and underestimated risks facing organisations today.
This needs to be considered in your risk mitigation strategies.