UtopianKnight Consultancy – James Griffiths

STRATEGIC | TECHNICAL | ADVISORY | AI | DEVELOPMENT | vCTO | CYBER | ICS & OT

, , , ,

When the threat comes from within!

·

by

UtopianKnight

In November 2025, CrowdStrike publicly announced that it had terminated an insider who leaked screenshots of internal dashboards to a hacker collective. While CrowdStrike maintains its systems were not compromised and customer data was unaffected, the incident highlights a critical truth: insider threat remains one of the most persistent and overlooked risks for businesses.

What is an insider threat?

In broad terms, an insider threat occurs when someone with authorised access to an organisation’s systems, data or facilities misuses that access intentionally or unintentionally to cause harm. That harm can include:

  • data exfiltration, screenshot capture or internal dashboard exposure
  • enabling external actors to gain access via leaked credentials or cookies
  • malicious sabotage of systems, or unintentional breaches due to negligence or error

In the CrowdStrike case the insider leaked images of internal dashboards and an Okta-SSO panel to hackers. Even though no systemic breach was reported, the incident underscores how a single trust boundary failure can ripple out.

Why this matters for UK businesses

Your business likely handles sensitive assets: customer data, IP, regulated information (e.g. under UK GDPR, UK Online Safety Act, or CNI/OT systems). While external threats get most headlines, insider risks are harder to detect and often bypass perimeter defences. Consider:

  • UK frameworks such as ISO 27001:2022 (Annex A 9 covers access control) and ISO 27002 give guidance on privilege management.
  • For AI-enabled services, ISO 42001 governance must include insider-risk controls around data ingestion and model access.
  • In critical national infrastructure (CNI) or supply chain contexts, an insider leak may trigger a regulatory incident (see National Cyber Security Centre CAF or DCC Level escalation.

The CrowdStrike story serves as a wake-up call: if a leading cybersecurity vendor can face this, so can you.

Key indicators of an insider threat

You should monitor for and define behaviour triggers such as:

  • Sudden large access to systems outside the normal role (dashboard screens, SSO portal access)
  • Time-off normal hours or access from unusual locations/devices
  • Downloading or screenshotting large amounts of internal dashboards or logs
  • Requests for elevated privileges without a clear business need
  • Changes in user behaviour (financial distress, disgruntlement) that increase risk surface

What your business can do next: five practical steps

  1. Enforce least-privilege access and review regularly: Set strict role-based access controls. Review high-privilege accounts monthly. Map each privileged role to a business-justified purpose. Use logging and alerting for abnormal privilege-use patterns.
  2. Implement session monitoring and anomaly detection: Use tools that track when users view or export dashboards, screenshot sessions, or share data externally. Leverage UEBA (User & Entity Behaviour Analytics) to flag odd patterns (e.g., multiple exports late at night).
  3. Include insider threat in your risk register and tabletop exercises: In your GRC platform or risk matrix, treat insider threats as a high-impact, moderate-likelihood scenario. Run incident simulations that include “trusted user goes rogue” or “contractor leaks credentials”.
  4. Strengthen third-party and vendor user control: Many insider threats stem from contractors or vendors. Ensure your vendor contracts include clauses on user monitoring, and restrict vendor dashboard views to necessary scopes. The CrowdStrike case referenced a third-party vendor link.
  5. Build a culture and awareness programme: Technical controls matter, but employee culture is vital. Train staff on recognising social engineering (insider facilitators), remind them of the business impact of leaks, and provide a safe channel for raising concerns about colleagues’ behaviour.

How this fits with UK compliance and board-level risk

From a board and audit committee perspective: insider threats impact continuity, data breach risk, and reputation. They also influence your posture under frameworks such as:

  • UK GDPR – personal data breach obligations, reporting to ICO within 72 hrs.
  • NCSC CAF 4.0 – emphasises human factors and supply-chain risk.
  • Proposed UK ransomware payment ban – insider access could enable ransomware.
  • ISO 27001/2 – you must demonstrate controls over internal access and misuse.

Board-level reporting should emphasise: “What trusted access do X,Y,Z have? How are we detecting misuse? What’s our residual risk if someone leaks credentials?”

Final word

The CrowdStrike incident may not have resulted in a full breach, but from a threat-modelling point of view this was a near-miss. We cannot rely solely on firewalls and endpoint agents. Insider threats require layered controls: identity and access governance, monitoring, behavioural analytics, culture, and scenario-testing.

As a founder guiding your security-oriented business and personal brand, position yourself as the expert who helps organisations not just defend the perimeter, but also manage the risk within. Update your frameworks, update your training, and ensure you can demonstrate to clients and board members that you have tackled the “trusted-insider” angle.