At our recent Cyber Forum on Cyber Risks, Insider Threats, the discussion highlighted a critical but often underestimated aspect of cyber security: the threat from within. Featuring insights from Sohan Lokula of PwC’s Cyber Threat Intelligence team, along with expert perspectives from Marina Shteinberg (Pentagram Advisory), Peter Chapman (Korda Mentha), Julia Wighton (PwC), and Ross Daws (GNGB), the forum explored how internal vulnerabilities can pose as much – if not more – risk to organisations than external cyberattacks. 

The Evolving Threat Landscape  

Today’s threat actors are more diverse and driven than ever before. In Australia, the cyber threat landscape is intensifying, with increased cyber activity aimed at elections, critical infrastructure, and financial services—often orchestrated by foreign adversaries. 

Among the many challenges, the insider threat stands out as a critical area of concern. Bridging both the technical and human domains, these threats stem from individuals with legitimate access to systems and sensitive data. Whether motivated by personal gain, grievance, coercion, or even careless mistakes, insiders can cause significant damage – often without raising immediate red flags. 

Insider Threats: More Than Just Malice  

Insider threats are not always the result of malicious intent. Often, they emerge from carelessness, dissatisfaction, or even a simple lack of awareness. As Marina S highlighted during the forum, a 2022 report found that 44% of insider threat cases stem from disgruntled employees. Insider risk is not just a technical challenge—it’s a cultural one. Trust, workplace morale, and often the formal obligations outlined in employment or engagement contracts – reflecting a principle of quid pro quo – play a critical role in shaping an organisation’s risk profile. 

Recent examples of insider activity have shown how broad and unexpected insider threats can be, from unsanctioned statements being filmed while wearing company uniform, through to a cybersecurity consultant abusing their access to both exfiltrate confidential information and manipulate platform security to cover their tracks. 

Who Is an Insider?  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) defines an insider as “any person who has or had authorized access to or knowledge of an organisation’s resources.” That includes not just employees, but also contractors, third-party service providers—essentially anyone with a key, a password, or system-level access. 

This broad definition is crucial: the threat isn’t confined to a specific department or title. Whether it’s a cleaner with afterhours access to executive offices, or a system administrator applying critical updates during a crisis both can carry elevated levels of risk simply by virtue of their access. 

Insider Threats in Action: Vulnerabilities, Threats, and Risks 

To understand insider threats, it requires mapping out the relationship between three key concepts: 

• • Vulnerabilities – Weaknesses in systems, people, or processes. 

• • Threats – Events or actions that could exploit those vulnerabilities. 

• • Risks – The potential consequence if those threats materialise. 

Let’s look at a few real-world scenarios: 

• • A system administrator with sole access to critical infrastructure suddenly falls ill—payroll comes to a halt. 

• • A cleaner stumbles across sensitive documents left out in an executive’s office. 

• • An employee, tricked by a phishing email, inadvertently forwards confidential data  

Each of these examples illustrates a key point: human vulnerabilities are just as exploitable as technical ones. Whether intentional or accidental, insider actions can have serious consequences—and understanding that human element is vital to any robust cybersecurity strategy. 

Building an Insider Threat Mitigation Program (ITMP)  

An effective ITMP doesn’t have to be overwhelming or expensive at the outset. Its purpose is to establish a culture of accountability, layered access, and protective checks that make it harder for insider threats to succeed—intentionally or otherwise. 

Key Steps to Start an ITMP: 

1. 1. Inventory Privileged Processes and Data Repositories
      Identify confidential data repositories and document activities which require elevated access —who, what, why, and when. 

2. 2. Identify and Prioritise Risks 
      Understand the risk appetite of your organisation and focus on high-impact scenarios. 

3. 3. Implement Risk Treatments 
      These could range from technical controls (biometric access) to procedural safeguards (segregation of duties). 

4. 4. Monitoring and Surveillance 
      Establish routine and event-based logging. Use models like APART to structure this: 
      
      • • Actor 
      • • Privilege 
      • • Action 
      • • Reason 
      • • Time 

5. 5. Continuous Improvement 
      As threats evolve, so should your mitigation strategies. Evaluate effectiveness and adapt accordingly. 

Culture Is Key 

While technology and policies are vital, insider threat mitigation is ultimately a human issue. Disengaged, disillusioned or unsupported employees are far more likely to be involved – intentionally or not – in security incidents. That’s why it’s essential to ask: 

• • Do employees feel supported and trusted? 

• • Is there a safe and anonymous way to report concerns? 

• • Are HR, legal, and cybersecurity teams aligned? 

Creating a workplace culture that values wellbeing, transparency, and psychological safety is just as important as any firewall or encryption protocol. 

From Theory to Practice 

Mitigating insider threats means embedding security into the everyday flow of business operations. It requires a mindset shift – thinking like a criminal – anticipating how access could be misused and putting smart safeguards in place. 

As the STN Cyber Forum discussions made clear, insider threat is not just a cybersecurity issue – it’s an enterprise-wide challenge. Tackling it effectively requires shared ownership across the organisation, with HR, legal, IT, and operations all playing a coordinated role.  Only with this kind of integrated governance can organisations build the resilience needed to meet today’s complex threat landscape. 

Conclusion: Building Safer, Smarter Systems 

Insider threats will never be completely eliminated – but with the right mindset, frameworks like APART, and a mature ITMP, organisations can significantly reduce both the likelihood and impact of these risks. 

Cybersecurity isn’t just about defending against unknown hackers—it’s about securing the organisation from the inside out. And that starts by recognising that the key to resilience is not just stronger systems, but stronger relationships, better policies, and more informed, engaged people.