The insider threat: From human vulnerability to strategic risk

The Rising Insider Imperative

As external cyber defences have hardened—through widespread adoption of multi-factor authentication, endpoint detection, and zero-trust architectures—adversaries have pivoted to the soft underbelly of organisations: people. Recent analyses show insiders now rank as a top concern, with 32% of global cybersecurity leaders in the World Economic Forum's 2026 outlook noting an increase in insider threats over the past year.

The shift is driven by efficiency. Recruiting or compromising an internal actor allows threat actors to sidestep multi-million-dollar security stacks. Flashpoint recorded 91,321 instances of insider recruiting, advertising, and related illicit discussions in 2025 alone, underscoring how ransomware groups and initial-access brokers increasingly rely on human insiders for direct system access.

In Australia, the broader cyber threat environment has intensified. The Australian Cyber Security Centre's 2024-25 Annual Cyber Threat Report highlighted espionage enabled by technological advancements costing the nation $12.5 billion in FY23-24, with cybercrime costs rising sharply—large organisations hit hardest at an average $202,700 per incident, up 219%. Geopolitical flashpoints in the Indo-Pacific, Ukraine, and the Middle East have heightened risks of state-based actors pre-positioning for disruptive attacks on critical infrastructure.

Recent incidents illustrate the stakes. While specific insider-driven breaches are often underreported due to their sensitive nature, global patterns show malicious insiders facilitating data exfiltration, fraud, and ransomware deployment. In Australia, the Notifiable Data Breaches scheme recorded ongoing high volumes of notifications, with malicious or criminal attacks dominating (59% in early 2025), though human error—now at 37% of breaches—signals growing internal vulnerabilities.

Non-obvious angles complicate the picture. Many insider risks stem not from malice but from overworked employees turning to unauthorised 'shadow AI' tools for productivity, inadvertently creating new leak paths. Deepfake technology, now democratised, enables sophisticated social engineering that exploits trust in video calls or voice interactions, leading to multimillion-dollar fraudulent transfers. Tensions arise between productivity demands and security controls: stricter monitoring risks alienating staff and stifling innovation, while lax oversight invites exploitation.

Regulatory pressure adds urgency. Australia's privacy regime, enforced by the Office of the Australian Information Commissioner, mandates swift breach assessments and notifications, with penalties reaching tens of millions for serious failures. Globally, frameworks like the EU's NIS2 and US SEC disclosure rules impose similar accountability, forcing boards to treat insider risk as a governance issue rather than an IT problem.

The convergence of AI amplification, economic pressures from layoffs or remote work, and organised recruitment on dark-web forums creates a perfect storm. Organisations that view insiders solely through a compliance lens miss the strategic dimension: in a fractured geopolitical landscape, human vulnerability has become a national-security adjacent risk.