The most common cybersecurity incidents still begin with people—mistakes, shortcuts, rushed approvals, and compromised accounts—rather than cinematic outside hackers. With hybrid work, SaaS sprawl, and third-party access, “inside” risk includes employees, contractors, and partners, plus attackers who successfully impersonate them. The good news: the controls that reduce insider-driven loss are well known and practical to implement.
Why “inside” risk remains the biggest problem
• Identity is the new perimeter. If authentication and authorization are weak, every app is weak.
• SaaS and integrations expand blast radius. OAuth grants, app marketplaces, and automations can silently create over-privileged access.
• Hybrid work multiplies entry points. Personal devices, home networks, and unmanaged browsers raise the chance of mistakes and credential theft.
• Third parties act as insiders. Vendors and contractors often hold powerful roles without the same controls or oversight.
Common 2025 insider-risk scenarios
• Accidental data exposure: over-broad file shares, public links, guest access left on, or misrouted email.
• Compromised insider: account takeover via phishing, MFA fatigue, token theft, or infostealer malware—then lateral movement across connected apps.
• Malicious insider: data exfiltration, destruction, or sabotage by a disgruntled user with excessive privileges.
• Help-desk social engineering: convincing requests to add MFA factors, reset passwords, or elevate roles without strong verification.
• Third-party overreach: marketplace apps, service accounts, or contractors granted rights beyond least privilege.
What to do now: a practical playbook
- Identity and access
• Enforce phishing-resistant MFA (security keys or passkeys) for administrators and any remote or privileged access.
• Remove standing global admins; use just-in-time elevation with approvals and reason codes.
• Apply conditional access (device posture, risk, geolocation) and block legacy/Basic protocols.
• Rotate local admin passwords automatically; vault and test break-glass credentials. - SaaS and OAuth governance
• Disable end-user app consent; require an admin approval workflow.
• Allow only publisher-verified apps or those you’ve reviewed; restrict by assignment.
• Limit scopes to least privilege; re-review grants quarterly and revoke stale tokens. - Email and collaboration hardening
• Monitor and lock down forwarding rules, inbox rules, and transport policies.
• Default to private links; time-bound external sharing; use viewer-only modes and watermarking for sensitive content.
• Use DLP where available; alert on mass downloads and unusual sharing. - Endpoint and patching
• Deploy EDR/XDR on 100% of supported endpoints and servers.
• Patch known-exploited issues on accelerated timelines; treat remote-access and admin tools as Tier-0. - Help-desk verification (stop social engineering)
• No resets, factor enrollments, or privilege changes via chat/ticket alone.
• Mandatory call-back to pre-verified numbers; multi-person approval for admin changes.
• Script out acceptable evidence; log every high-risk action. - Joiners-Movers-Leavers (JML) and third parties
• Automate provisioning with role-based access; review rights when roles change.
• For contractors and vendors: separate accounts per tenant/customer, short-lived access, and automatic expiry.
• Offboard fast: disable accounts, revoke tokens, rotate shared secrets, and transfer ownership of critical resources. - Logging, detection, and response
• Centralize identity, email, SaaS admin/audit, endpoint, RMM/PSA, and firewall/VPN logs.
• Retain roughly 12 months where feasible; alert on consent grants, privilege changes, mailbox rule/forwarding changes, anomalous sign-ins, and large external shares.
• Keep SaaS-specific runbooks: revoke tokens, remove app consent, snapshot logs, cut external shares, notify data owners. - Backups and recovery
• Do not rely on recycle bins. Use versioning/retention and, for critical apps, a third-party SaaS backup.
• Follow 3-2-1-1-0 with at least one immutable or air-gapped copy; test restores quarterly and record results.
Quick checklist for this week
• Enforce phishing-resistant MFA for admins and remote access
• Remove standing global admins; enable just-in-time elevation
• Disable end-user OAuth consent; allow only verified/publisher-reviewed apps
• Turn off legacy authentication; tighten external sharing defaults
• Inventory and re-review OAuth grants; revoke unused/over-scoped tokens
• Centralize and retain key logs; alert on consent/privilege/forwarding changes
• Lock down help-desk procedures with call-back and dual control
• Confirm true backups for SaaS and on-prem; perform one restore test
Cyber-insurance lens
Underwriters increasingly ask for evidence of the controls above before binding or to remove sub-limits. Maintain an “evidence pack” with policy screenshots (MFA, conditional access, PIM), app-consent reviews, backup configs and restore test results, and recent alert/runbook examples. Strong controls reduce loss likelihood and claims friction—and can improve terms.
Sources
FBI IC3 2024 report: record $16.6B in reported losses and continuing growth in BEC and fraud. Federal Bureau of InvestigationInternet Crime Complaint Center
Verizon DBIR 2025: identity-driven and third-party risks remain prominent across incidents and confirmed breaches. VerizonSpyCloud