Cyber threats emerge from a variety of different sources and there are several ‘species’ of bad actors who can turn your systems upside down. Alex Bomberg, Group Chairman of cyber risk specialists International Intelligence, sets out the highest-priority attacker types that organisations need to keep at bay.

Insiders

Unfortunately, Bomberg says, the risk posed by insiders is one of the most significant cyber threats that organisations face.

“It’s not necessarily a true hack,” he notes. “Indeed, most cyber incidents aren’t. They often stem from human failure, and that’s certainly a feature of insider threats. Perhaps someone has just left your business, and their access privileges are still usable. Perhaps a member of staff has been sidestepped in some way, and they choose to leak access details in anger.”

For Bomberg, staff must be made aware of the potential for insider threats to occur within their organisation, and trained to understand what an attack of this nature would look like, including a related social engineering approach.

Bad actors with insider knowledge – either developed from personal experience in the company or procured from an insider – would typically know which employees to contact to initiate a social engineering scam, and how those individuals could be manipulated into assuming the approach was genuine.

Hacktivists

Some disgruntled individuals or groups will target your systems specifically because of your activities or affiliations, Bomberg warns. For example, you could be doing accounts for an oil and gas company – or for a business that works for one. You could be working at a company that is involved with genetically modified crops, industrial processes with a high incidence of pollution, product testing involving animals or agriculture based around battery farming – really, any industry that draws controversy.

“These attackers will typically be very demonstrative and unsubtle,” Bomberg says. “They’ll try to kick down the doors, rather than use social engineering. Activist organisations can be very overt in their physical campaigning, and that translates to their digital approach.”

This is where you need staff training on the types of groups that exist and are targeting various industries, he explains. While it may be a commercial win to onboard a major client that works in a sensitive business sector, you will inevitably need to tighten your security measures.

Organised criminals

In around 80% of cases, Bomberg notes, financial gain will be the primary aim behind a cyber attack. The remaining 20% of cases stem from a desire to cause disruption or reputational harm.

For major corporates, that means paying attention to a range of increasingly sophisticated criminal techniques, many of which are harnessing artificial intelligence (AI). Bomberg cites a well-known incident from early 2024 in which an employee of engineering firm Arup was tricked into transferring $25m (£18.6m) to criminals by a fraudulent videocall displaying an AI deepfake of a senior manager.

Bomberg adds: “Lots of SMEs think that a financial hack is never going to happen to them, or that no one is interested in data concerning their client bases. But criminals keep their eyes and ears peeled for M&A deals as low as £5m in value. So, as accountants are heavily involved with such deals, it’s not just about ensuring your payroll doesn’t get hacked – it’s about protecting your client files too.”

Hobbyist hackers

What boy racers are to motoring, these hackers, also known as 'script kiddies', are to hacking. A 2023 blog from antivirus specialists Norton defines them as “novice hackers who use existing scripts and software to carry out cyber attacks”. In other words, they hop on other people’s malicious wheels, take them for a spin and try to wreak as much havoc as possible – usually to claim bragging rights in competitive standoffs with peers.

One of the earliest attacks occurred 10 years ago, when a teenage boy used hacking software to comb various corporate websites for weaknesses. After identifying a vulnerability at telecom company TalkTalk, he posted details of the flaw online, opening it up to another cyber attack. In November last year, cloud security firm Aqua identified a likely young hacker with the alias Matrix as being responsible for a global distributed denial of service (DDoS) campaign that was targeting Internet of Things devices.

“Script kiddies are dangerous, and often underestimated,” Bomberg says. “Defending against them is all about being on top of the bases – not just with the security and testing of your systems, but the readiness of your crisis management response. A hack of this type is not going to come at 9am on a Monday. It will happen when you least expect it.”

State actors

“There’s a term called ‘relative criticality’, which acknowledges that cyber attackers don’t have to go for the biggest targets – just the right ones,” Bomberg says. “Applying pressure to systems with particularly sensitive, public-facing roles can create significant knock-on effects – and that’s often the goal for state actors. Occasionally, they will blend scale and sensitivity, as we saw in 2017 with the WannaCry attack on the NHS.”

State-backed hackers will seek to cause as much disruption as possible, says Bomberg. Imagine you’re in charge of an infrastructure company responsible for the UK’s digital-display road signs. State actors might aim to infiltrate the system and declare the nation’s motorways closed. “There would be absolute chaos.”

Combating state actors is incredibly complex, he adds, but you give yourself a head start by mastering two things. The first is Swiss cheese theory, which states that once you sandwich together all your various defence layers, they will cover each other’s holes and be tough to get through. The second is broken window theory, according to which hackers will be inclined to attack a system they think is in disarray.

Bomberg notes: “Broken windows theory is based on an approach to policing that took off in New York, when a chief observed that poorly maintained areas automatically attract crime. What’s true of cities is also true of cyberspace.”