Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Syndicates exploit insider vulnerabilities in SA

Issue 6 2025 Information Security, Security Services & Risk Management

By Heino Gevers, Mimecast senior director of technical support.

When you hear ‘insider threat’, what comes to mind? A rogue employee stealing files before quitting? Think bigger. The reality is far more alarming. Today’s insider threats are not lone wolves acting out of spite – they are pawns in the hands of sophisticated, organised criminal networks.

These groups do not just exploit vulnerabilities in your systems; they exploit your people, turning trusted team members into unwitting accomplices or deliberate collaborators in their schemes. Criminal networks are embedding operatives, coercing employees, and using cutting-edge tactics to infiltrate organisations from the inside.

A small number of employees can wreak massive damage

The State of Human Risk Report1 shows that in 2024, human risk surpassed technology gaps as the biggest cybersecurity challenge. Report findings highlight that 43% of surveyed organisations, including South African companies, have seen an increase in internal threats or data leaks initiated by compromised, careless, or negligent employees in the last 12 months. What is more, 66% of organisations are concerned that data loss from insiders will increase in the next 12 months. The report also shows that a small fraction of employees (8%) contribute disproportionately to security incidents (80% of incidents).

Today’s adversaries are grooming insiders and manipulating access from within. According to threat researchers, criminal ransomware groups like LockBit have attempted to bribe employees to install malware on company networks, often targeting employees in financial distress or those with elevated privileges.

Other attackers use psychological manipulation to compromise insiders without their full awareness. In the 2023 breach of MGM Resorts, members of the Scattered Spider group posed as IT support agents and used social engineering to convince an employee to reset credentials and unknowingly deploy malware. By mimicking trusted help desk procedures, the attackers bypassed technical controls and gained a foothold in the environment.

While the incidence of these threats remains comparatively low for now, South Africa is facing its own rising internal threat: ghost workers, who are costing employers and taxpayers billions each year.

These fictitious employees are generally added to the payroll through deliberate collusion between corrupt staff members and receive salaries without performing any work.

According to the Public Servants Association (PSA), ghost workers are costing the country billions of rands annually2. These incidents reflect a growing trend. External actors are no longer focused solely on breaching the perimeter. They are targeting people with access on the inside.

The recruitment playbook

Criminal networks use a variety of tactics to target insiders:

• Emotional manipulation: Social engineering is not just about tricking users into clicking phishing links; it is also about exploiting psychological vulnerabilities to build relationships with potential accomplices.

• Anonymity tools: The Dark Web and encrypted messaging apps allow recruiters and insiders to communicate without fear of detection.

• Financial incentives: In an era of economic uncertainty and wage stagnation, a six-figure payout for just clicking a link can be hard to resist.

• Blackmail and coercion: Stolen personal data is weaponised to threaten employees into compliance.

Unlike traditional phishing campaigns, these efforts are personalised, persistent, and, increasingly, professional, and because they often begin in seemingly legitimate digital spaces, like LinkedIn messages, freelance gig platforms, or job boards, they are harder to spot.

Even organisations with solid security policies can find themselves blindsided. While vetting employees during hiring is necessary, it is not sufficient. People’s circumstances change, and so do their motivations. Traditional tools that flag risky behaviour often miss the slow, calculated actions that mark insider collaboration with organised crime.

Modern strategies to deter new insider threats

Traditional methods will not cut it when faced with criminal networks that manipulate employees or infiltrate organisations. Businesses need to rethink their defences, not just to prevent breaches but to anticipate and counter the complex tactics of modern adversaries. Here is how organisations can take more proactive and effective steps to combat these threats:

1. Shift from reactive to proactive monitoring

Behavioural analytics and user activity monitoring help establish a baseline for ‘normal’ behaviour and identify deviations, such as unusual file access patterns or data exfiltration outside working hours. Catching these anomalies early can stop breaches before they occur.

2. Protect the employees, not just the technology

Security teams need to shift from a purely infrastructure-focused strategy to a human-centric approach. In 2025, relying on one-off employee training leaves organisations exposed and creates dangerous blind spots. Addressing the human layer is now essential, and insider risk management must be core to the approach.

3. Foster a culture of integrity and psychological safety

Employees are less likely to be tempted or coerced into malicious activity when they feel valued and supported. Security is not just a technical issue; it is a cultural one. Create an environment where employees feel empowered to report suspicious activity, including recruitment attempts by external actors, without fear of retaliation. Make doing the right thing easier than doing the wrong thing.

4. Reinforce Zero-Trust principles

No one should have unrestricted access to sensitive systems or data, regardless of their position or seniority. Regularly implement least privilege access, revalidate permissions, and verify every connection to ensure tight security controls are always in place.

5. Have a dedicated ghost worker strategy

AI-powered monitoring can flag unusual access patterns, detect lateral movement, and automatically block attempts to alter or export sensitive records. By consolidating oversight into central dashboards, security teams can identify repeated high-risk behaviours, such as persistent access to personnel data, without being overwhelmed by manual checks. Integrating tools across payroll, HR, and security systems ensures stronger protection, closing the gaps that criminal networks exploit.

Risk needs a rethink

It is clear, the insider threat has evolved. So must our defences. Criminal networks are adapting quickly, and they are betting that companies will not keep pace. Let us prove them wrong, not by treating employees as potential threats, but by making them our strongest line of defence.

[1] https://tinyurl.com/42p83rv4

[2] https://tinyurl.com/yn9kb3xu




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Who are you?
Access Control & Identity Management Information Security
Who are you? This question may seem strange, but it can only be answered accurately by implementing an Identity and Access Management (IAM) system, a crucial component of any company’s security strategy.

Read more...
Check Point launches African Perspectives on Cybersecurity report
News & Events Information Security
Check Point Software Technologies released its African Perspectives on Cybersecurity Report 2025, revealing a sharp rise in attacks across the continent and a major shift in attacker tactics driven by artificial intelligence

Read more...
What is your ‘real’ security posture?
BlueVision Editor's Choice Information Security Infrastructure AI & Data Analytics
Many businesses operate under the illusion that their security controls, policies, and incident response plans will hold firm when tested by cybercriminals, but does this mean you are really safe?

Read more...
What is your ‘real’ security posture? (Part 2)
BlueVision Editor's Choice Information Security Infrastructure
In the second part of this series of articles from BlueVision, we explore the human element: social engineering and insider threats and how red teaming can expose and remedy them.

Read more...
Sophos announces evolution of its security operations portfolio
Information Security
Sophos has announced significant enhancements to its security operations portfolio via Sophos XDR and Sophos MDR offerings, marking an important milestone in its integration journey following the acquisition of Secureworks in February 2025.

Read more...
Cybersecurity operations done right
LanDynamix SMART Security Solutions Technews Publishing Information Security
For smaller companies, the costs associated with acquiring the necessary skills and tools can be very high. So, how can these organisations establish and maintain their security profile amid constant attacks and evolving technology?

Read more...
AI security with AI Cloud Protect
Information Security
AI Cloud Protect is now available for on-premises enterprise deployments to secure AI model development, agentic AI applications, and inference workloads with zero impact on performance.

Read more...
Kaspersky finds security flaws that threaten vehicle safety.
News & Events Information Security Transport (Industry)
At its Security Analyst Summit 2025, Kaspersky presented the results of a security audit that exposed a significant security flaw enabling unauthorised access to all connected vehicles of one automotive manufacturer.

Read more...
The overlooked risks of everyday connectivity
Information Security
That free Wi-Fi you are using could end up costing you a lot more money than your hotspot data if it has been compromised, says Richard Frost, head of technology solutions and consulting at Armata Cyber Security.

Read more...
GenAI fraud forcing banks to shift from identity to intent
AI & Data Analytics Information Security Financial (Industry)
The complexity and velocity of modern fraud schemes, from deepfakes to fraud and scams involving social engineering, demand more than just investment in new tools; they need adaptability and expanding the security net.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.