There are insiders who are on a mission to cause problems for a company. It could be a disgruntled current or former employee. It could be someone who gets themselves hired (or assigned as a temporary employee) to gain access for the purpose of causing problems. A motivated disrupter with appropriate access can cause tremendous damage. For example, a disrupter who is in an IT position could cause backup files to be replaced with useless files, and could then damage live files that have no usable backup. This is why monitoring software that can detect suspicious or unauthorized activities is so important.

IP Compromiser

An IP compromiser has a mission of stealing intellectual property (IP). IP can be valued at millions or even billions of dollars. Stealing a software source code can jump-start a foreign competitor’s capabilities.

Data Compromiser

Like an IP compromiser, a data compromiser is up to no good. He or she wants to steal data that can either be turned into money (for example, by selling it to a credit card number distributor) or released, directly or indirectly, to embarrass a target organization.


Insiders can also be responsible for incidents without intending to do so. They can also be divided into two broad groups: victim and error maker.


An insider can be targeted by a perpetrator to take an action to help carry out an attack without realizing that they are doing so.

  • Phishing: Phishing emails have become ubiquitous. They have the objective of getting the recipient to either click on a link within an email that leads to the deployment of malware, or to give up log-in credentials, credit card numbers or other valuable data. Even though some organizations offer anti-phishing training to employees, this scheme still works on a small percentage of the targeted population.
  • Social engineering: Criminals will use the phone to induce an insider to reveal non-public information. In one method, the caller pretends to be from the company’s IT department and needs to log in remotely to fix a problem, which requires getting the employee’s log-in credentials. Some people fall for it and provide the information.
  • Business email compromise: A perpetrator sends an email to a targeted employee, sometimes using an email address very similar to that of the targeted organization, pretending to be a senior executive. The bogus senior executive needs the employee to help with a secret deal by wiring funds (sometimes millions of dollars, or the equivalent) to a specific account. Most people now recognize this for the fraud that it is, but sometimes it works, and the funds are transferred.
  • Work-at-home dupe: An individual can be induced to take part in what they believe to be a work-at-home opportunity that turns out to be part of a sophisticated theft scheme. The work-at-home worker may turn out to be supporting money laundering, sanctions evasion or other crimes.


Error Maker

Sometimes, an individual simply makes a mistake that leads to a data compromise. For example, a systems developer may inadvertently misconfigure a cloud-based storage container and leave it open to access through the internet, leading to the data stored in the digital container being compromised. Similarly, something as simple as an email sent to an incorrect address (or a fax message sent to the wrong fax number) can cause the compromise of highly sensitive information. This can be caused by accidentally entering the wrong email address, or deliberately (but unknowingly) directing an email to an address set up by an adversary with a very similar address to that of the real organization.


It is important to point out that cyber perpetrators may also use automated tools to look for companies whose systems exhibit vulnerabilities that leave them open to attack. Thus, a company may be targeted simply because the attacker has the capability to successfully carry out an attack. These attacks use tools called scanners that, in effect, test sites for the presence of specific weaknesses that render the site vulnerable to penetration.

An extract from the first edition of The Guide to Cyber Investigations. The whole publication is available at Global Investigations Review.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.