Insider Cyber Threats: From Human Errors to Intentional Acts and Imposters

Unintentional Acts

Human error or unintentional employee acts are a significant source of insider cyber threats. According to a Verizon Data Breach Investigations Report, human error accounts for 68% of data breaches. These errors often stem from insufficient training, poor decision-making, or employee negligence of best practices. Common examples include clicking on phishing links, accidentally sending sensitive information to the wrong recipient, or neglecting security protocols.

Intentional Acts from Disgruntled Employees

Employees who feel an employer has wronged them, perhaps overlooked for a promotion or fired, may retaliate by deleting data or stealing software and intellectual property (trade secrets, clinical research, etc.) to wreak havoc or gain a competitive advantage with a new employer. The company’s endpoints, databases, mobile devices, networks, cloud infrastructure, and applications are some assets that insiders can leverage to launch attacks.

For example, a computer programmer for a North Carolina-based company, angered over a demotion, planted a logic bomb that took field sales reps’ computers offline for days.

In another incident, a network engineer sabotaged a company’s systems by returning them to the original factory settings after learning he was about to be fired.¹

Infiltration by Foreign Operatives 

In January, the FBI issued additional guidance to employers regarding the increased security risks from North Korean workers infiltrating U.S. businesses with remote jobs to steal proprietary information and extort money to fund activities of the North Korean government.² According to the FBI, North Korean information technology (IT) workers have been “leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”

Cybersecurity company CrowdStrike reported that North Korean IT workers, a group it calls Famous Chollima, were behind 304 incidents in 2024.³

Security Training Firm a Target

One of the most high-profile targets of North Korean state-sponsored operatives occurred with KnowBe4, a leading security-awareness training firm with expertise in training employees in phishing email detection. According to KnowBe4, an operative who posed as a software engineer was able to bypass its hiring background checks. In a Zoom interview, he came across as a professional. He posted an AI-generated photo of himself on his LinkedIn page using a stock photo. Once hired, he spent 25 minutes attempting to install malware on the company’s computer on his first day. KnowBe4 realized he was an impostor and notified the FBI.

KnowBe4’s CEO stated that the operative displayed “a high level of sophistication in creating a believable cover identity, exploiting weaknesses in the hiring and background check processes, and attempting to establish a foothold.” While there was no data breach, a foreign operative’s infiltration of a leading cybersecurity training company shows that every business is vulnerable to these types of insider threats.

Aided by U.S. Facilitators and Others

In an article in Fortune magazine, Michael Barnhart, an intelligence leader at Google Cloud who has been tracking North Korean threats for several years, explains the scheme as follows: “North Korean engineers, deployed to locations in China and Russia, use AI to create bios with eye-catching company experience highlighted.⁴ They work in teams to apply for jobs en masse, using stolen American identities, or with the help of facilitators in the U.S. or abroad. Some IT workers have even created front companies to pose as legitimate recruiting firms or web-design agencies, for instance, that larger Fortune 500 companies then hire, not realizing it’s a North Korean front.”⁵

For example, according to court documents, a 49-year-old woman in Arizona helped North Korean co-conspirators get jobs at Fortune 500 banks, a television network, an aerospace manufacturer, a car manufacturer, and a Silicon Valley tech company. Using 60 stolen identities, she helped the IT workers get jobs at 300 companies that paid them millions.⁵ 

Detecting and Mitigating Insider Threats 

In an increasingly sophisticated cyber environment, organizations must be proactive to detect and mitigate insider threats by implementing the following key actions:

• Engage Leadership and Build a Security Culture: Actively prioritize cybersecurity and support risk management initiatives to create a culture of vigilance.
• Conduct Regular Risk Assessments: Continuously identify where employees and systems are most vulnerable, especially around data access, personal device use, and AI tools.
• Foster Accountability and Transparency: Set clear security expectations, encourage reporting of suspicious activities, and ensure employees feel safe doing so.
• Monitor Behavioral Risk Indicators: Watch for early warning signs like unauthorized data aggregation, access that is outside normal patterns, and unusual internet activity. Use AI-powered systems to detect risky behaviors early, automate monitoring, and highlight insider risk patterns.
• Customize Training to Risk Profiles: Personalize security awareness training based on employees’ roles, behaviors, and access to sensitive data.
• Strengthen Controls Against Data Exfiltration: Implement strict acceptable-use policies and monitor use of personal email, unsanctioned apps, and browser extensions on corporate devices.
• Implement Continuous Vetting: Move from periodic background checks to ongoing monitoring of significant life changes or behavioral shifts that could indicate rising risk.
• Secure Remote Access Points: Regularly check for and secure open virtual network connections (VNCs) and other exposed access points to prevent sabotage.
• Review Third-Party Applications Regularly: Conduct security assessments of any SaaS apps and external services that could expose sensitive systems or data.
• Encourage Early Reporting and Action: Promote a proactive approach where minor incidents are reported early.
• Protect Against Social Engineering and Foreign Influence: Educate employees about tactics like fake recruiting offers, phishing through professional networks, and deepfake scams.
• Strengthen Remote Hiring Practices: The FBI recommends that employers implement the following to identify and screen potential bad actors:
  • Institute processes to verify identities during interviews, onboarding, and subsequent employment of remote workers.
  • Review job applicants’ email accounts and phone numbers for duplicate contact information among different applicants.
  • Verify third-party staffing firms and their hiring practices.
  • Ask “soft” interview questions about applicants’ locations and backgrounds.
  • Look out for typos and unusual nomenclature in résumés.
  • Complete the hiring and onboarding process in person as much as possible.

Companies should review their cyber insurance program carefully to see how it addresses rogue employee scenarios. Coverage varies by carrier. Some policies include rogue employee acts under broad language, while others exclude it entirely or define it narrowly, potentially limiting coverage.