printer friendly version

Syndicates exploit insider vulnerabilities in SA

When you hear ‘insider threat’, what comes to mind? A rogue employee stealing files before quitting? Think bigger. The reality is far more alarming. Today’s insider threats are not lone wolves acting out of spite – they are pawns in the hands of sophisticated, organised criminal networks.

These groups do not just exploit vulnerabilities in your systems; they exploit your people, turning trusted team members into unwitting accomplices or deliberate collaborators in their schemes. Criminal networks are embedding operatives, coercing employees, and using cutting-edge tactics to infiltrate organisations from the inside.

A small number of employees can wreak massive damage

The State of Human Risk Report¹ shows that in 2024, human risk surpassed technology gaps as the biggest cybersecurity challenge. Report findings highlight that 43% of surveyed organisations, including South African companies, have seen an increase in internal threats or data leaks initiated by compromised, careless, or negligent employees in the last 12 months. What is more, 66% of organisations are concerned that data loss from insiders will increase in the next 12 months. The report also shows that a small fraction of employees (8%) contribute disproportionately to security incidents (80% of incidents).

Today’s adversaries are grooming insiders and manipulating access from within. According to threat researchers, criminal ransomware groups like LockBit have attempted to bribe employees to install malware on company networks, often targeting employees in financial distress or those with elevated privileges.

Other attackers use psychological manipulation to compromise insiders without their full awareness. In the 2023 breach of MGM Resorts, members of the Scattered Spider group posed as IT support agents and used social engineering to convince an employee to reset credentials and unknowingly deploy malware. By mimicking trusted help desk procedures, the attackers bypassed technical controls and gained a foothold in the environment.

While the incidence of these threats remains comparatively low for now, South Africa is facing its own rising internal threat: ghost workers, who are costing employers and taxpayers billions each year.

These fictitious employees are generally added to the payroll through deliberate collusion between corrupt staff members and receive salaries without performing any work.

According to the Public Servants Association (PSA), ghost workers are costing the country billions of rands annually². These incidents reflect a growing trend. External actors are no longer focused solely on breaching the perimeter. They are targeting people with access on the inside.

The recruitment playbook

Criminal networks use a variety of tactics to target insiders:

• Emotional manipulation: Social engineering is not just about tricking users into clicking phishing links; it is also about exploiting psychological vulnerabilities to build relationships with potential accomplices.

• Anonymity tools: The Dark Web and encrypted messaging apps allow recruiters and insiders to communicate without fear of detection.

• Financial incentives: In an era of economic uncertainty and wage stagnation, a six-figure payout for just clicking a link can be hard to resist.

• Blackmail and coercion: Stolen personal data is weaponised to threaten employees into compliance.

Unlike traditional phishing campaigns, these efforts are personalised, persistent, and, increasingly, professional, and because they often begin in seemingly legitimate digital spaces, like LinkedIn messages, freelance gig platforms, or job boards, they are harder to spot.

Even organisations with solid security policies can find themselves blindsided. While vetting employees during hiring is necessary, it is not sufficient. People’s circumstances change, and so do their motivations. Traditional tools that flag risky behaviour often miss the slow, calculated actions that mark insider collaboration with organised crime.

Modern strategies to deter new insider threats

Traditional methods will not cut it when faced with criminal networks that manipulate employees or infiltrate organisations. Businesses need to rethink their defences, not just to prevent breaches but to anticipate and counter the complex tactics of modern adversaries. Here is how organisations can take more proactive and effective steps to combat these threats:

1. Shift from reactive to proactive monitoring

Behavioural analytics and user activity monitoring help establish a baseline for ‘normal’ behaviour and identify deviations, such as unusual file access patterns or data exfiltration outside working hours. Catching these anomalies early can stop breaches before they occur.

2. Protect the employees, not just the technology

Security teams need to shift from a purely infrastructure-focused strategy to a human-centric approach. In 2025, relying on one-off employee training leaves organisations exposed and creates dangerous blind spots. Addressing the human layer is now essential, and insider risk management must be core to the approach.

3. Foster a culture of integrity and psychological safety

Employees are less likely to be tempted or coerced into malicious activity when they feel valued and supported. Security is not just a technical issue; it is a cultural one. Create an environment where employees feel empowered to report suspicious activity, including recruitment attempts by external actors, without fear of retaliation. Make doing the right thing easier than doing the wrong thing.

4. Reinforce Zero-Trust principles

No one should have unrestricted access to sensitive systems or data, regardless of their position or seniority. Regularly implement least privilege access, revalidate permissions, and verify every connection to ensure tight security controls are always in place.

5. Have a dedicated ghost worker strategy

AI-powered monitoring can flag unusual access patterns, detect lateral movement, and automatically block attempts to alter or export sensitive records. By consolidating oversight into central dashboards, security teams can identify repeated high-risk behaviours, such as persistent access to personnel data, without being overwhelmed by manual checks. Integrating tools across payroll, HR, and security systems ensures stronger protection, closing the gaps that criminal networks exploit.

Risk needs a rethink

It is clear, the insider threat has evolved. So must our defences. Criminal networks are adapting quickly, and they are betting that companies will not keep pace. Let us prove them wrong, not by treating employees as potential threats, but by making them our strongest line of defence.

^[1] https://tinyurl.com/42p83rv4

^[2] https://tinyurl.com/yn9kb3xu

Share this article:

Further reading: