American View: Are we focusing on the wrong echelon of insider threats?

Risk Management26 Aug 2025

If off-the-shelf security training is to be believed, all insider threats worth defending against are disgruntled employees. Bitter and spiteful middle-aged men who want to stick it to their boss and get even for real or perceived slights. Milton from Office Space is the go-to archetype. The aggrieved and unsociable loner that stands out amidst the body of loyal and happy workers. The resentful saboteur is a great trope … for fiction. For real life? Not so much. At least not in terms of damage potential.

Sure, these sorts of insiders do exist. Take Terry Childs, the network engineer who locked his employer out of their own network after his supervisors (allegedly) mistreated him. While there’s a lot of nuances to Childs’ story, the oversimplified version of what happened had greatly helped legitimize the trope of the line-level, lone wolf, malcontent lashing out. I reckon that’s why hundreds of millions of corpo drones are taught every year to report their unhappy and resentful colleagues to whatever passes for their employer’s Internal Affairs office.

The trouble is, the most harmful insider threat actions don’t come from the cubicle farm. Rather, they come from upper management. It’s not the overworked and under respected CCIEs and CISSPs consigned to the basement doing the most damage per-capitalist. Seriously. It’s the folks who can expense a four figure lunch and use the word “yacht” as a verb.

This topic came up last week when I messaged one of my pals to see how he was holding up. My buddy Alonzo ^[1] works in a big manufacturing company, coordinating the movement of finished goods from factories to major retainers. He’s got a stressful gig. Every time I check in on Alonzo, he seems exasperated and exhausted. The way he describes it, he’s enduring too much work made doubly difficult due to too much bureaucratic incompetence. Last week’s update, though, was stunningly different.

“I’ve had literally nothing to do for a week,” Alonzo admitted. “Our entire enterprise has been brought to its knees. No one can use our ERP platform. It’s down hard. No telling when it’ll come back up … or if it ever will. Everything has stalled and no goods are moving.”

Alonzo’s tone gave me some serious COVID lockdown flashbacks. I don’t think I can take another year of news readers doing field reports from marshalling yards.

The way Alonzo told me the story, everyone as his site and at every other site worldwide that depended on this solution was left twiddling their thumbs after the Big Computer in the Sky™ fell over Monday morning. Alonzo insisted this wasn’t something that could be fixed with a reboot; according to his pals in IT, their ERP solution had consumed all its storage capacity and blew its virtual brains all over its cloud. No one from IT, he said, is sure if the system can be rolled back to a prior state.

I asked how the business is responding. Alonzo said that everyone in management seemed locked in Panic Mode. He figured it was only going to take a few weeks before the markets caught on and their board obliterated the executives’ compensation. He reckoned their corporate culture would degenerate from Mad Men to Mad Max in one budget cycle or less. I’d be a danged liar if I said I won’t be curious to see how that plays out. This is high drama!

Anyway, the “insider threat” aspect of Alonzo’s company’s recent disaster wasn’t a “Milton.” This wasn’t a matter of a single sysadmin turning off the company router or locking everyone out of their accounts. The facts that have been released so far ^[2] put the blame for the big crash entirely on the company’s third-party IT support provider. Some high-ranking executive leader – I’d wager either the CIO or the CFO – made a strategic decision at some indeterminant to outsource all the company’s tech support and the administration of their ERP solution to an outside service provider.

To be fair to Alonzo’s IT company, this is a common strategy in corpo space. Back around 2000 when I was working for a Big 5 consulting firm, I was almost transferred to an ERP outsourcing practice at one of our Dallas offices. When I met the manager I was supposed to work for, the fellow bragged about how cost-effective and competitive it was for clients to completely turn over control of their ERP platforms to our Firm. The client wouldn’t need to pay exorbitant salaries to subject matter experts, he said. It was far cheaper to “rent” the experts on a per-ticket. Strangely, the manager I was chatting with was laid off not long after that meeting when it was discovered that the ERP outsourcing business hadn’t ever signed a contract ...

Anyway, It’s the financial sleight of hand that makes this sort of deal attractive to an executive. If you can get exactly the same quality of support from a third party service provider that you’re already getting from your in-house IT staff, then the allure of outsourcing becomes irresistible. Keep your products’ prices the same, reduce your payroll and benefits expenses, and the delta between what you’re taking in and what it costs to and maintain quality of services becomes bonus profit. See also: Magic!

Moving numbers around to intimate that you’re suddenly profitable when nothing has actually changed is a sort of magic in the exact same way that cyptocurrenties are a sort of investment vehicle: it’s all an illusion fabricated from lies, misdirection, and gullibility.

That’s why Alonzo’s story wasn’t new to me. I’d seen the exact same strategy applied as a desperate cost savings measure back when I worked for a global cloud hosting provider. Thanks to a wide-open market, the business ran on very thin margins. When our Big Bosses demanded greater profitability, proposed solutions like investing in more efficient data centres were nixed. The Big Bosses wanted to brag about immediate profits for no additional cost. You know … magic. The company’s solution was to outsource over half of their existing support capability to foreign companies. Where an American Tier 3 engineer was costing the company about $250k a year, a third-world based Tier 3 engineer might only cost $25k-$40k. From management’s perspective the shift on domestic to foreign and salaried to contracted was a no-brainer. Free money!

Of course, firing half of the loyal workers torpedoed morale. Hundreds of workers were abruptly cast aside like fast food wrappers, taking all their crucial tribal knowledge with them. The people that had been discarded were murderously angry and the people that had stayed were horrified. The damage inflicted on esprit de corps couldn’t ever be healed … like anyone at HQ who employed a chauffeur cared.

Adding insult to injury, the outsourcing firm’s promise to our could hosting business that they’d provide exactly the same quality of support was a baldfaced lie. They didn’t have hundreds of seasoned cloud support engineers waiting on the bench, ready and eager to get onto the pitch. They had to hire hundreds of new contractors and then spend months training them in all-new leased buildings with all-new equipment that hadn’t been tested. It was obvious from before the mass layoffs that Initial Operational Capability wouldn’t be achieved for a year or more, leaving half of the surviving domestic engineers with double the workload and no useful support. Cue more irreplaceable losses.

From what I can tell that’s almost exactly what happened to Alonzo’s company. Someone at the highest levels of power in his outfit’s hierarchy seems to have decided to completely outsource their ERP support and administration to a third-party vendor. Worse, to a vendor notorious in the industry for extreme offshore body shopping. A little online sleuthing would’ve revealed how badly this third tier provider was rated by people that have hired them and by people unlucky enough to have worked for them. It’s no wonder that Alonzo’s company suffered a catastrophic – and possibly unrecoverable – failure of a critical operations support system. Someone in power seems to have gambled on the cheaper tech support option to give the appearance of increased short-term revenue and it didn’t work out.

Now, from a cybersecurity perspective, Alonzo’s company’s situation is an insider threat incident. It appears that one person – or maybe a small number of people working together – deftly sabotaged their organisation’s IT plant for money. Not nefariously, perhaps; I personally doubt that anyone involved intended for this to happen. But, from a disaster recovery perspective the perpetrators’ motives aren’t relevant. They accepted more risk than the business could recover from if things went sideways. They gambled and lost. Time for heads to roll, right?

RIGHT?!?

Er … no. What’s painfully ironic about this echelon of insider threat is that there likely won’t be any consequences for the people responsible. If a Milton had crashed the ERP system, then that Milton would be standing on the kerb outside the office with his personal effects in a box before close of business. That’s not how the process works for executives. Even though this unnamed (and to be fair, as-yet-unproven) notional executive has inflicted millions of dollars of damage on the company, they’ll likely be allowed to quietly scarper to some other megacorp and claim “tremendous cost savings” as an accomplishment on their CV. The remaining high muckety-mucks in the leather seats won’t suffer any blowback for not keeping the recently departed offender in check. Blame might fall on a few token scapegoats in middle management for theatre’s sake and then the whole mess will be swept under the corporate rug.

I find this absurd. I remember busting an entry level worker for using the company photocopier to duplicate a video game manual. The kid got severely spanked for costing the company a few hundred dollars because he exceeded our monthly copy limit. That was far more punishment than anyone in Alonzo’s company is likely experience for potentially murdering their company’s share price and global reputation. It’s a devastating insider threat incident and should be treated like one, but … The rules that apply to the powerless Milton at the base of the corporate pyramid never apply to the god-kings at the apex. This can’t be sustainable.

How do you think, our profession should deal with this kind of preventable insider threat issue? Should there be an entirely different protocol for monitoring and preventing god-king tier insider threats? Should an agency other than a company’s board of directors have the authority to interdict overly risky and potentially fatal business decisions? Should there be monitoring and watchdogging commensurate with the threat posed at that echelon?

I’d wager that no company still in business will ever agree to such restrictions being placed on their CXOs … and at the same time, I’ll bet there are millions of survivors of failed businesses out there who lament that no such capability was in play when their CXOs mucked everything up and destroyed their company by cavalierly assuming too much risk. I wish I had a realistic solution for this, but … no. Capitalism is inherently irrational and self-destructive. It’s to be expected that the people implementing it feel compelled play dice with the lives of their customers, their supplies, and their workers in the pursuit of just a little more profit.

Not that that’s any consolation to Alonzo and his family.

^[1] Not his real name.

^[2] As of the last time I spoke with Alonzo.