Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Syndicates exploit insider vulnerabilities in SA

Issue 6 2025 Information Security, Security Services & Risk Management

By Heino Gevers, Mimecast senior director of technical support.

When you hear ‘insider threat’, what comes to mind? A rogue employee stealing files before quitting? Think bigger. The reality is far more alarming. Today’s insider threats are not lone wolves acting out of spite – they are pawns in the hands of sophisticated, organised criminal networks.

These groups do not just exploit vulnerabilities in your systems; they exploit your people, turning trusted team members into unwitting accomplices or deliberate collaborators in their schemes. Criminal networks are embedding operatives, coercing employees, and using cutting-edge tactics to infiltrate organisations from the inside.

A small number of employees can wreak massive damage

The State of Human Risk Report1 shows that in 2024, human risk surpassed technology gaps as the biggest cybersecurity challenge. Report findings highlight that 43% of surveyed organisations, including South African companies, have seen an increase in internal threats or data leaks initiated by compromised, careless, or negligent employees in the last 12 months. What is more, 66% of organisations are concerned that data loss from insiders will increase in the next 12 months. The report also shows that a small fraction of employees (8%) contribute disproportionately to security incidents (80% of incidents).

Today’s adversaries are grooming insiders and manipulating access from within. According to threat researchers, criminal ransomware groups like LockBit have attempted to bribe employees to install malware on company networks, often targeting employees in financial distress or those with elevated privileges.

Other attackers use psychological manipulation to compromise insiders without their full awareness. In the 2023 breach of MGM Resorts, members of the Scattered Spider group posed as IT support agents and used social engineering to convince an employee to reset credentials and unknowingly deploy malware. By mimicking trusted help desk procedures, the attackers bypassed technical controls and gained a foothold in the environment.

While the incidence of these threats remains comparatively low for now, South Africa is facing its own rising internal threat: ghost workers, who are costing employers and taxpayers billions each year.

These fictitious employees are generally added to the payroll through deliberate collusion between corrupt staff members and receive salaries without performing any work.

According to the Public Servants Association (PSA), ghost workers are costing the country billions of rands annually2. These incidents reflect a growing trend. External actors are no longer focused solely on breaching the perimeter. They are targeting people with access on the inside.

The recruitment playbook

Criminal networks use a variety of tactics to target insiders:

• Emotional manipulation: Social engineering is not just about tricking users into clicking phishing links; it is also about exploiting psychological vulnerabilities to build relationships with potential accomplices.

• Anonymity tools: The Dark Web and encrypted messaging apps allow recruiters and insiders to communicate without fear of detection.

• Financial incentives: In an era of economic uncertainty and wage stagnation, a six-figure payout for just clicking a link can be hard to resist.

• Blackmail and coercion: Stolen personal data is weaponised to threaten employees into compliance.

Unlike traditional phishing campaigns, these efforts are personalised, persistent, and, increasingly, professional, and because they often begin in seemingly legitimate digital spaces, like LinkedIn messages, freelance gig platforms, or job boards, they are harder to spot.

Even organisations with solid security policies can find themselves blindsided. While vetting employees during hiring is necessary, it is not sufficient. People’s circumstances change, and so do their motivations. Traditional tools that flag risky behaviour often miss the slow, calculated actions that mark insider collaboration with organised crime.

Modern strategies to deter new insider threats

Traditional methods will not cut it when faced with criminal networks that manipulate employees or infiltrate organisations. Businesses need to rethink their defences, not just to prevent breaches but to anticipate and counter the complex tactics of modern adversaries. Here is how organisations can take more proactive and effective steps to combat these threats:

1. Shift from reactive to proactive monitoring

Behavioural analytics and user activity monitoring help establish a baseline for ‘normal’ behaviour and identify deviations, such as unusual file access patterns or data exfiltration outside working hours. Catching these anomalies early can stop breaches before they occur.

2. Protect the employees, not just the technology

Security teams need to shift from a purely infrastructure-focused strategy to a human-centric approach. In 2025, relying on one-off employee training leaves organisations exposed and creates dangerous blind spots. Addressing the human layer is now essential, and insider risk management must be core to the approach.

3. Foster a culture of integrity and psychological safety

Employees are less likely to be tempted or coerced into malicious activity when they feel valued and supported. Security is not just a technical issue; it is a cultural one. Create an environment where employees feel empowered to report suspicious activity, including recruitment attempts by external actors, without fear of retaliation. Make doing the right thing easier than doing the wrong thing.

4. Reinforce Zero-Trust principles

No one should have unrestricted access to sensitive systems or data, regardless of their position or seniority. Regularly implement least privilege access, revalidate permissions, and verify every connection to ensure tight security controls are always in place.

5. Have a dedicated ghost worker strategy

AI-powered monitoring can flag unusual access patterns, detect lateral movement, and automatically block attempts to alter or export sensitive records. By consolidating oversight into central dashboards, security teams can identify repeated high-risk behaviours, such as persistent access to personnel data, without being overwhelmed by manual checks. Integrating tools across payroll, HR, and security systems ensures stronger protection, closing the gaps that criminal networks exploit.

Risk needs a rethink

It is clear, the insider threat has evolved. So must our defences. Criminal networks are adapting quickly, and they are betting that companies will not keep pace. Let us prove them wrong, not by treating employees as potential threats, but by making them our strongest line of defence.

[1] https://tinyurl.com/42p83rv4

[2] https://tinyurl.com/yn9kb3xu




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

The year of the agent
Information Security AI & Data Analytics
The dominant attack patterns in Q4 2025 included system-prompt extraction attempts, subtle content-safety bypasses, and exploratory probing. Indirect attacks required fewer attempts than direct injections, making untrusted external sources a primary risk vector heading into 2026.

Read more...
AI cybersecurity predictions for 2026
AI & Data Analytics Information Security
The rapid development of AI is reshaping the cybersecurity landscape in 2026, for both individual users and businesses. Large language models (LLMs) are influencing defensive capabilities while simultaneously expanding opportunities for threat actors.

Read more...
SMARTpod Talks to Check Point Technologies about the African Perspectives on Cybersecurity report
SMART Security Solutions News & Events Information Security Videos
SMART Security Solutions spoke with Check Point's Hendrik de Bruin about the report, the risks African organisations face, and some mitigation measures.

Read more...
SA availability of immutable backup storage appliance
CASA Software Infrastructure Security Services & Risk Management
CASA Software has launched the newly released Nexsan VHR-Series, a fully integrated, enterprise-class, immutable backup storage appliance purpose-built for Veeam software environments, with usable capacity ranging from 64 TB to 3,3 PB.

Read more...
Beagle Watch named best security company in Johannesburg
News & Events Security Services & Risk Management
Beagle Watch Armed Response has been named Johannesburg’s Best Security Company in the 2025 Best of Joburg Awards, surpassing about 26 nominated private security firms in the greater Johannesburg region, thanks to overwhelming public support.

Read more...
Securing the smart fleet
Information Security Transport (Industry) Logistics (Industry) IoT & Automation
Contributing around 10 to 12% of South Africa’s GDP, the transport and logistics sector supports almost every part of the country’s economic activity. The stakes for keeping these systems secure are higher than ever before.

Read more...
Who are you?
Access Control & Identity Management Information Security
Who are you? This question may seem strange, but it can only be answered accurately by implementing an Identity and Access Management (IAM) system, a crucial component of any company’s security strategy.

Read more...
Check Point launches African Perspectives on Cybersecurity report
News & Events Information Security
Check Point Software Technologies released its African Perspectives on Cybersecurity Report 2025, revealing a sharp rise in attacks across the continent and a major shift in attacker tactics driven by artificial intelligence

Read more...
What is your ‘real’ security posture?
BlueVision Editor's Choice Information Security Infrastructure AI & Data Analytics
Many businesses operate under the illusion that their security controls, policies, and incident response plans will hold firm when tested by cybercriminals, but does this mean you are really safe?

Read more...
What is your ‘real’ security posture? (Part 2)
BlueVision Editor's Choice Information Security Infrastructure
In the second part of this series of articles from BlueVision, we explore the human element: social engineering and insider threats and how red teaming can expose and remedy them.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.