Introduction
In today’s interconnected world, organisations must rely on a foundation of trust to keep operations secure, trust in their systems, processes, partners, and most critically, their people. After all, employees are granted access to sensitive data, infrastructure, and decision-making channels that keep a business running.
But what happens when that trust is compromised from within? That’s the nature of insider threats, risks that originate not from shadowy external hackers, but from individuals inside the organisation. As the Cybersecurity and Infrastructure Security Agency (CISA) defines it, an insider threat is the potential for someone with authorised access to intentionally or unintentionally cause harm to an organisation’s mission, resources, or systems. These threats can manifest in many forms, sabotage, data theft, espionage, cyberattacks, or even violence, making them one of the most complex and underestimated challenges in both the public and private sectors.
Types of Insider Threats
Among the many forms insider threats can take, malicious and negligent insiders pose some of the most common and damaging risks to organisations. While one is driven by intent, the other arises from oversight, but both can have serious consequences.
- Malicious Insider Threats
A malicious insider is someone who deliberately takes harmful action against their organisation. These individuals often have authorised access to sensitive information, systems, or resources, which they exploit to carry out their agenda.
For example, a disgruntled employee who feels unfairly treated after being passed over for a promotion might copy proprietary data before resigning, with the intention of sharing it with a competitor. In more severe cases, insiders may sabotage critical systems, alter financial records, or leak confidential client information to external actors for financial gain or reputational damage.
Malicious insider activity is often premeditated and strategic, making it particularly difficult to detect until the damage is done.
- Negligent Insider Threats
Negligent insiders don’t intend to cause harm, but their careless actions can inadvertently compromise security. These threats often stem from poor cyber hygiene, lack of awareness, or disregard for company policies.
Consider an employee who, while working remotely, connects to a public Wi-Fi network without using a secure VPN, exposing the company’s internal communications to potential interception. Or someone who unknowingly clicks on a phishing email, giving attackers access to login credentials and sensitive files. Even forgetting to lock a computer screen in a shared office space can open the door to unauthorised access.
Negligent behaviour can also include failing to update software, using the same password across multiple platforms, or misplacing company devices, small oversights that can lead to major breaches if exploited.
The M&S Breach: When Third-Party Access Becomes a Liability
In April 2025, Marks & Spencer experienced a major security breach after hackers gained access via a compromised email account belonging to a contractor from Tata Consultancy Services (TCS). The breach exposed personal data of over 9.4 million customers, including names, addresses, dates of birth, and order histories, though no payment information was affected.
The attack, which took place over the Easter weekend, disrupted operations for over six weeks and is estimated to have cost the company around £300 million. Investigations revealed that social engineering tactics targeting the third-party contractor allowed the attackers to bypass internal controls.
This incident highlights how insider threats don’t always stem from internal employees; third parties with legitimate access can also become unintended gateways for external attackers. In response, M&S is overhauling its contractor vetting process, enhancing multi-factor authentication, and moving towards a zero-trust approach for external service providers.
Protecting Against Insider Threats
Reducing the risk posed by insider threats requires a combination of people-focused initiatives, technical safeguards, and strategic intelligence. Key protective measures include:
- Ongoing staff training
Human error remains one of the most common causes of insider incidents. Regular training sessions help employees understand how to recognise phishing attempts, avoid careless mistakes, and follow best practices for data handling and access control. Cultivating a strong security culture across all departments is essential for reducing accidental and negligent insider threats.
- Regular patching and system updates
Keeping all software, operating systems, and applications up to date is a fundamental yet often overlooked defence. Unpatched systems can contain known vulnerabilities that insiders, or attackers exploiting insider access, can take advantage of. A strong patch management process ensures that your organisation isn’t left exposed to avoidable risks.
- Incorporating threat intelligence into your security strategy
Threat intelligence enables organisations to detect abnormal behaviour, anticipate risks, and respond swiftly. By understanding the latest tactics and techniques used by threat actors, security teams can identify early indicators of insider activity, whether malicious or unintentional.
CYJAX supports this effort by delivering timely, actionable intelligence tailored to your organisation’s needs, helping you stay one step ahead of emerging insider and external threats. Contact CYJAX today to book a demo and discover how our threat intelligence solutions can help protect your organisation from evolving insider risks.
Receive our latest cyber intelligence insights delivered directly to your inbox
Simply complete the form to subscribe to our newsletter, ensuring you stay informed about the latest cyber intelligence insights and news.