Insider Risk Management Data Protection

How to Unmask High Risk Users Before They Become Insider Threats

Mimecast webinar demonstrates how real-world examples can teach us about human error and the role it plays in cybersecurity incidents

by Masha Sedova

Mai 09, 2025

Wichtige Punkte

Human error remains a critical vulnerability, as illustrated by both maritime and cybersecurity incidents, where simple mistakes like using weak passwords or ignoring security alerts can lead to significant disruptions.
Insider risks pose a serious challenge, with trusted individuals having the potential to exploit their access for malicious or negligent actions, similar to maritime cases of questionable motives.
Targeted attacks highlight the need for proactive defenses, requiring organizations to identify vulnerable users and implement tailored protections to prevent exploitation.

Three Maritime Stories

What can three modern maritime stories teach us about cybersecurity? In a recent Mimecast webinar that I recently hosted with Mimecast CMO Nikki Cosgrove, we answer that question. We take a look at how everyday real-world examples can demonstrate the biggest challenges facing security professionals today – human error, insider risk, and targeted attacks.

Human Error

The most complex crises usually don’t start with a complex failure. They tend to start with something much smaller. For example, in the Suez Canal in March 2021, when a ship ran aground, blocking traffic from being able to pass through the canal, it wasn’t strong winds and weather that were the culprit, it was actually human error – the captain falling asleep. This incident led to $9.6 billion in trade per day being stopped for six days while the ship was being moved to free up the canal’s path.

It is human error like this that also leads to the biggest breaches in cybersecurity. Typically, it is a single employee using a weak password, an employee who is fatigued and doesn’t pay attention to security alerts, an employee who doesn’t use multi-factor authentication, or an employee who clicks on a phishing link.

Insider Risk

But, what happens when there is an incident, and you are not immediately sure that it was an accident? When the captain of a Portuguese container ship turned off a navigation system and barreled into a tanker loaded with jet fuel used to supply U.S. fighter jets, his motivations were called into question. Was this Russian captain motivated to make a statement? Was he trying to cripple the U.S. fighter jet fuel supply in Europe?

In cybersecurity, we have tended to focus on system failures, on ransomware, the zero-days, the advanced persistent threats, but what about the people that are working inside the systems? What do we do when it is not a system failure, but a person – a trusted insider like a disgruntled employee, a contractor with elevated access rights, the insider who turns risk into real-world harm by stealing patient data from a hospital? Security professionals need to be on guard because trusted insiders that are stealing data tend to look like every other user.

Targeted Attacks

And what do we do when the incident is not human error, not someone trying to hide in plain sight, but in fact, a well-known malicious actor who is specifically targeting our systems and people? What happens when a Yemeni fishing vessel is boarded by pirates and holds the crew for ransom? What message does it send to other pirates when that ransom is paid? How can we keep our people and data safe without promoting additional attacks by giving in to ransom demands?

Security professionals must be able to adequately identify which of their users are most susceptible to these types of targeted attacks in order to better protect them. In this third maritime analogy, we would be asking ourselves how do we best protect our vulnerable fishing vessels and people when they are out in the water just trying to do their job – like our users are doing in the office or when working remotely?

The Common Denominator

All three of these maritime examples have one thing in common – as do some of the most devastating incidents in cybersecurity – and that is people. In cybersecurity, it all boils down to the user. Like in June 2017 when a Maersk employee in a very small office in Ukraine followed their training and updated their software, only to discover that the MeDoc software update had been compromised, leading to a breach of tens of thousands of Maersk endpoints, grinding much of the company’s business to a halt and causing $300 million in lost revenue. In this incident, the user followed procedures and updated their software, and were it not for a power failure in Ghana that left one Maersk server undamaged, the toll on the company could have been much worse.

The Sad Truth

The sad truth across all of these incidents is that cybercriminals are very aware that people are their best point of entry for attack. They know that hacking, brute force, and all of those traditional attack methods require much more work than simply sending employees phishing emails and waiting for that click that gives them access to the system instead. These attackers know that human behavior is their best ally.

The Bottom Line

While security professionals do need to continue to secure systems and devices, they also need to do their best to secure the people within their organization that are using those devices. Just 8% of users cause 80% of security breaches. It has never been more important for organizations to be able to identify which of their users are the ones causing those most security incidents. Mimecast stands ready to help organizations be able to identify these users and better secure how they work each and every day.

Be sure to watch our Unmasking High-Risk Users Before They Become Insider Threats webinar to learn more about how Mimecast can help your organization.