14 Oct 2022
by Adrian Rowley

Understanding the risk of the malicious insider in the ransomware era (Guest blog by Gigamon)

Guest blog by Adrian Rowley, Senior Director at Gigamon #Cyber2022

The UK was recently reported to suffer the third highest number of ransomware attacks, only surpassed by the US and Canada, between January 2020 and July 2022. As the threat of this form of malware continues to rise on a global scale, it is important that security teams are looking both outside and in to identify their weak spots. In fact, the insider threat is often underestimated; phishing emails were recently proven to be the top source for ransomware attacks over the last 12 months.

The threat posed by an organisation’s own employees cannot be overlooked. Although it can be an accidental threat – e.g., mistakenly clicking a dangerous link in a phishing email – the risk generated by internal teams is becoming increasingly malicious. 

The ‘malicious insider’: What and why

Gigamon research has found that 95% of security professionals have experienced ransomware attacks in the past year and 1 in 3 organisations across the globe believe the ‘malicious insider’ is seen as the root cause. This was a risk cited by only 6% fewer respondents than those who claimed the “accidental” insider is a central threat. It is therefore clear that the insider threat can be more malicious than previously thought.

This threat can encompass anything from a disgruntled employee stealing sensitive data when leaving their company, to ransomware groups paying for user credentials from internal teams – which we’ve seen most notably from the prolific Lapsus extortion group. In fact, researchers have observed multiple recruitment attempts via its Telegram group, including requests for network access via VPNs, Citrix and AnyDesk across telcos, software and gaming companies, server hosters, and call centre/business process management providers.

The role of deep observability

There is undoubtedly a need for greater visibility into network-layer activity to improve detection and response and therefore mitigate insider and ransomware risk. In reality, threat actors are regularly breaching the perimeter and using stolen credentials to masquerade as legitimate users. To catch them in the act, there should be more focus on east-west traffic – when ransomware actors are attempting lateral movement. IT infrastructure and access management should also be set-up to reduce lateral movement opportunities. In other words, trust should never be freely given and one compromised set of credentials should not have the power to breach a whole organisation.

According to our research, 80% of IT and security leaders agree that having access to raw packet data can unlock deep insight and strengthen security posture. And of the CISOs/CIOs that view malicious insiders as a threat, 66% stated Zero Trust and deep observability are key to mitigating this risk. Deep observability is a key element to Zero Trust; it grants teams visibility into all areas of an IT infrastructure, which is critical to allowing permissions across accounts and devices. It also amplifies the power of the metric, event, log and trace-based monitoring to assure security and compliance across cloud and on-premises applications.

As more organisations exist within a hybrid IT space, split between the core and the cloud, there will inevitably be blind spots. But security teams need to do everything they can to achieve total visibility in order to spot behavioural anomalies and catch threat actors before it’s too late. The risk of ransomware will continue to grow unless we’re proactive about prioritising deep observability in the fight against the malicious insider threat.

Help to shape and govern the work of techUK’s Cyber Security Programme

Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.

*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.

Upcoming events 

Cyber Innovation Den

On Thursday 3 November, techUK will host our fourth annual Cyber Innovation Den online. This year we’ll explore efforts being made to realised the ambition set out in the National Cyber Strategy, with speakers taking a look at the progress we’ve seen to date, including the foundation of the UK Cyber Security Council, the reinvigoration of the Cyber Growth Partnership and the continued growth in the value of the sector to the UK economy.

Book now!

Cyber Security Dinner

In November techUK will host the first ever Cyber Security Dinner. The dinner will be a fantastic networking opportunity, bringing together senior stakeholders from across industry and government for informal discussions around some of the key cyber security issues for 2022 and beyond.

Book now!

Get involved

All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.

The Cyber Management Committee sets the strategic vision for the cyber security programme, helping the programme engage with government and senior industry stakeholders.


The CSSMEF is comprised of SME companies from the techUK membership. The CSSMEF seeks to include a broad grouping of different SME companies working in the Cyber Security (CS) sectors.




Adrian Rowley

Adrian Rowley

Senior Director, Gigamon