As an authority in Cloud technology, Maryanne Baines has a deep understanding of the digital infrastructure that powers modern business. With extensive experience evaluating the tech stacks and security postures of various industries, she offers a critical perspective on one of the most insidious threats organizations face today: the enemy within. This interview explores the rising trend of cybercriminals recruiting employees on the dark web, the unique challenges posed by insiders who know a company’s defenses from the inside out, and the proactive strategies security teams must adopt, from behavioral monitoring to dark web surveillance.
Insiders often know a company’s security policies and can bypass typical alerts. What specific vulnerabilities does this create for an organization, and what are some step-by-step measures a security team can take to mitigate these unique internal risks?
The vulnerability an insider creates is fundamentally different and far more dangerous than a typical external attack. An external threat has to break down the door, which triggers alarms like unusual login attempts. An insider, however, already has the keys. They know which doors are unlocked, where the cameras are, and how to walk the halls without looking suspicious. This means they can adjust their actions to avoid triggering standard security alerts, making them almost invisible. To counter this, security teams must build a defense-in-depth strategy that assumes a breach is possible. This starts with implementing proper network segmentation to contain a rogue actor’s movement. Then, you enforce strong, principle-of-least-privilege access controls. Finally, you deploy data loss prevention tools that don’t just watch the door, but watch what people are trying to carry out of it.
We’re seeing dark web ads offering up to $15,000 for access to crypto exchanges and banks. Why are these sectors such prime targets, and how does this recruitment-based approach change the defensive playbook for security leaders compared to traditional external threats?
The crypto and banking sectors are prime targets for one simple reason: they are where the money is. The path from data to cash is incredibly short. We saw nearly $1.93 billion stolen in crypto-related crimes in just the first half of 2025, a figure that speaks for itself. One successful breach at a firm like Coinbase can cost hundreds of millions of dollars. This recruitment approach completely flips the defensive playbook on its head. For decades, we built higher and stronger walls to keep attackers out. Now, the attacker isn’t trying to breach the wall; they’re paying someone to open a side gate for them. The focus for security leaders must shift from a perimeter-only defense to a model that includes robust internal monitoring, scrutinizing what authorized users are doing with their legitimate access.
Early detection seems to rely on spotting unusual employee behavior, like accessing sensitive files. Can you walk me through the practical steps a security team uses to monitor this effectively without creating a culture of distrust?
This is a delicate balance, but it’s entirely achievable. The key is to focus on data and access patterns, not on individual employees. The first practical step is to establish a clear baseline of what normal activity looks like for different roles. A security team should then implement automated monitoring for deviations from this baseline, such as an employee who suddenly starts accessing sensitive information they’ve never touched before, especially if it’s outside their job requirements. Another major red flag is any attempt at data exfiltration to external devices or cloud services. By using automated tools and focusing on objective events, you remove the personal element. It’s not about watching people; it’s about protecting data and flagging anomalies that put that data at risk.
Proactively monitoring the dark web for recruitment posts is often recommended as an early warning. How does a company practically implement this surveillance, and once a credible threat is flagged, what immediate actions should its incident response team take to harden defenses?
Practically speaking, most companies don’t have the resources or expertise to navigate the dark web safely themselves, so they rely on specialized threat intelligence services. These services have the tools and analysts to monitor forums and marketplaces for any mention of your company, executives, or specific job roles being targeted for recruitment. When a credible threat is flagged—say, a post appears explicitly looking for an insider at your firm—it’s a fire alarm. The incident response team must act immediately. This isn’t the time for investigation; it’s time for prevention. You immediately move to a state of high alert, review and tighten all access controls, and double-check that your incident recovery plan is ready. You have been given a precious warning, and the goal is to harden every potential target before the adversary can find a willing employee.
With losses in the crypto sector reportedly reaching nearly $2 billion in just six months, the financial stakes are enormous. Beyond direct theft, what are the less obvious, long-term damages an organization suffers from a successful insider-led breach involving competitive intelligence or customer data?
The headline numbers, as staggering as they are, often mask the deeper, more corrosive damage. When an insider sells confidential business agreements to a competitor, it’s not just a data leak; it’s a strategic catastrophe. Your product roadmap, your pricing strategy, your negotiation tactics—all handed to the competition on a silver platter. That can set a company back years. Similarly, when personal customer information is stolen, the trust you’ve built with your user base is shattered. The financial cost of rebuilding that reputation, dealing with regulatory fines, and managing customer churn can far exceed the initial theft. It’s a wound that continues to bleed long after the breach has been contained.
What is your forecast for the insider threat landscape?
I believe the direct, explicit recruitment of insiders on the dark web will not only continue but will accelerate and become more mainstream for cybercriminals. As organizations get better at defending against external attacks, the human element becomes the weakest link and the most logical point of entry. The payouts are becoming increasingly attractive, and we will see this tactic spread from fintech and crypto into other data-rich sectors like healthcare, manufacturing, and legal services. In the coming years, having a dedicated insider risk program will no longer be a best practice for mature organizations; it will be an absolute necessity for survival.
