The Corleone effect: Manage insider risk while retaining staff loyalty

The inside job has been a go-to plot device for as long as we’ve been telling stories. From Othello to the Godfather, Julius Ceasar to that bloke who shut down the systems in Jurassic Park.

But while these tales of ambition, betrayal, or greed make for intriguing fiction, in cybersecurity, insider risk is often less about betrayal and more about misjudgement.

People trying to do their job and getting played.

To understand how organisations can deal with this eternal threat without disrupting team harmony, I spoke with James O’Neill, Security Engineer in Kocho’s Security Operations Team. 

Social engineering is the real hack

Modern attackers aren’t always brute-forcing their way in with zero-day exploits and malware. They’re targeting the human layer. Manipulating behaviour, impersonating colleagues, and using basic psychology to get what they want.

More often than not, a breach starts with a compromised identity. An attacker tricks a user, gains access to a chat, a document, or a support process. After that, it’s just a matter of escalation.

And in today’s cloud-first environments, where identity is the perimeter, that access is often all they need.

Now, the tools and technology exist to detect and protect. But often, they’re only as strong as your weakest link. And invariably that’s the human element.

So how do you tackle insider risk without making everyone feel like a suspect?

Enabling Zero Trust without creating a culture of suspicion

We talk a lot about Zero Trust in cybersecurity – and rightly so. Verifying explicitly, using least privilege, assuming breach – these are the bedrock principles of modern security architecture.

The challenge is enabling Zero Trust in a way that doesn’t feel punitive to your people.

Build a culture where employees feel watched, restricted, or automatically under suspicion, and you’ll do more harm than good. Morale drops. People disengage. And ironically, they’re less likely to report issues or admit to mistakes when they happen.

Security should protect people, not alienate them. The goal is to create an environment where staff feel confident using systems securely, and supported if something goes wrong.

Design security that works the way people do

If security gets in the way of work, people will work around it. We all do it – it’s human nature.

But that way danger lies.

Yes, we know human vulnerability presents a risk. But rather than treating users as liabilities, why not build in controls that enable them?

For example:

As a Microsoft partner we naturally gravitate towards its ecosystem of security tools like the Zero Trust controls built into Entra ID, Conditional Access, and Identity Protection. Or Microsoft Defender for Identity and the wider scope of Defender XDR.

But these tools are only as effective as the way in which they’re deployed. They need to be configured correctly for your organisation and used together as part of a broader, joined-up security operations strategy.

Technology needs to align with strategy and know-how

Effective insider risk management depends on building a strategy that brings together:

• Alerts and signals from across the digital estate
• Intelligence to identify real threats, not just noise
• Operational agility to respond in the moment
• Playbooks developed to quickly isolate issues and contain impact

This is where cybersecurity is right now. And we really feel it’s incumbent on your SOC team (whether in-house or outsourced) to be putting that into practice.  They need to be able to spot anomalies, of course. But more than that, they need the tools and skills to interpret them, act on them quickly, and continuously evolve the defences.

That means better user education, stronger enforcement of identity policies, and a security operations function equipped to spot suspicious patterns early, shut down unauthorised access fast, and adapt controls in real time.

Because when something slips through – and it will – it’s the speed and quality of your response that will determine the outcome.

Final thought

Insider risk is as old as the concept of security itself. And it’s not going away any time soon.

But with the right culture, controls, and operational approach, it’s a risk that can be reduced without fear. And without damage to morale or trust.

Because if your security strategy makes everyone feel like a suspect, it’s already failed.

Insider risk stats for UK organisations

If you’d like to learn more about how James and the rest of the Kocho SOC team can help your organisation stay safe, compliant, and productive, get in touch with us today.

Sources: Infosecurity Magazine | Beaming | Microsoft Digital Defence Report 2024

Next steps

Like this guide? Then don’t forget to share it with your followers.