Cyber-attacks don’t always come from shadowy hacking groups or sophisticated malware. Sometimes, the biggest threats are much closer to home.
In January 2025, the British Museum learned this the hard way. A recently dismissed IT contractor managed to re-enter the building and shut down key systems—including the ticketing platform. Visitors were turned away, exhibitions were forced to close, and the museum was left scrambling to restore operations.
This wasn’t a complex ransomware attack. It was an insider threat—one of the most underestimated risks in Cyber Security.
So, what went wrong at the British Museum? And more importantly, what can organisations do to stop insider threats before they cause harm?
Let’s Define The Difference Between Malicious and Unintentional Threats:
When we talk about Cyber Security threats, the focus is often on external actors—ransomware gangs, phishing campaigns, and nation-state hackers. But what about the risks that come from inside an organisation?
An insider threat refers to any security risk that originates from within an organisation’s own workforce—whether employees, contractors, or third-party vendors with access to internal systems.
First, let’s break down and define insider threats:
Insider threats generally fall into two main categories: malicious and unintentional. While their motivations and methods differ, both can lead to severe consequences.
1. Malicious Insider Threat Examples
These happen when someone inside an organisation deliberately misuses their access to cause harm—whether for personal gain, revenge, or to help an external party. Here are some examples to look out for:
- Disgruntled employees – A recently fired employee or contractor may lash out by sabotaging systems, deleting files, or leaking sensitive data.
- Data theft for profit – Employees with access to valuable information may steal trade secrets, customer data, or financial records.
- Corporate espionage – Some insiders are recruited by outside organisations or even foreign entities to steal confidential information.
- Privilege abuse – Employees misusing their access to peek at sensitive files, change system settings, or override security controls.
2. Unintentional Insider Threats
Don’t worry, it’s not all doom and gloom! Not all insider threats come from bad intentions. In many cases, employees simply make mistakes that lead to security breaches. Some of the most common accidental threats include:
- Sharing sensitive data the wrong way – Sending confidential documents to the wrong recipient, using unsecure cloud storage, or sharing passwords can all put an organisation at risk.
- Weak password habits – Using simple, reused passwords (or worse, writing them down on sticky notes) makes it easy for attackers to gain access.
- Misconfigurations – IT teams accidentally leaving security gaps, such as exposed databases, weak firewall settings, or unpatched software, which can be exploited.
- Lost or stolen devices – Lost or stolen devices—like an unlocked laptop left in a café—can expose sensitive data.
How to Protect Against Insider Threats
Insider threats don’t always make headlines, but they can be just as damaging as external attacks. When someone with trusted access misuses their position, the consequences can be severe.
According to IBM’s 2024 Cost of a Data Breach Report, insider attacks cost organisations an average of $4.99 million (£4 million) per incident—making them one of the most expensive cyber threats to recover from.
Unlike external attacks, insider threats don’t always trigger alarms—because the person behind them already has access.
So how do you protect against a risk that’s already inside your organisation?
1. Implement Least Privilege Access
The more access employees have, the bigger the risk. As a Cyber Security leader, try to limit access to only what’s necessary for each role.
- Apply role-based access controls (RBAC) so employees only access what they need.
- Use Just-In-Time (JIT) access for admin privileges—grant them temporarily and revoke automatically.
- Revoke access immediately when employees leave to prevent security gaps.
2. Strengthen Offboarding and Third-Party Controls
Offboarding is often a weak spot in security. A fired employee with lingering access is a serious risk—as the British Museum learned first hand.
- Immediate deactivation: Revoke all credentials, VPN access, and admin rights the moment an employee leaves.
- Monitor recently dismissed employees: If an exit was contentious, keep an eye on logs for any unusual behaviour before they leave.
- Secure third-party access: Contractors and vendors should have limited, monitored access that expires automatically.
3. Build a Security-First Culture
Technology alone can’t solve the insider threat problem. Security needs to be woven into company culture—not just a checklist.
- Encourage a “See Something, Say Something” mindset: Employees should feel comfortable reporting suspicious behaviour—without fear of backlash.
- Train teams on insider risks: Many companies focus Cyber Awareness training on phishing and external threats. But insider threats deserve just as much attention.
- Conduct simulated insider threat exercises: Test how your security team would respond if an insider tried to access or exfiltrate sensitive data.
4. Protect Sensitive Data
- Data Loss Prevention (DLP) controls prevent unauthorised sharing or exfiltration of critical data.
- Encrypt sensitive files so stolen data remains useless to attackers.
- Restrict USB devices, personal cloud storage, and unauthorised apps to close security gaps.
The British Museum Breach: What Happened?
The British Museum fell victim to an insider cyber-attack, forcing it to partially close its doors and disrupting key services. The incident was not caused by an advanced cybercriminal group or a ransomware attack. It was an inside job carried out by a dismissed IT contractor.
The individual managed to re-enter the museum and shut down several critical systems, including its ticketing platform. The disruption was significant: ticket holders were unable to access exhibitions, temporary galleries had to be closed, and the museum was forced to issue refunds. The attack happened on a Thursday evening, and by Friday, the British Museum was still struggling to restore normal operations.
The Metropolitan Police responded to the breach and arrested the individual at the scene on suspicion of burglary and criminal damage. However, the damage had already been done.
Key Vulnerabilities Exploited
Several security failures allowed this attack to happen. The biggest issue was delayed access revocation. The contractor had already been dismissed but still managed to gain physical entry to the museum. This suggests that their physical and digital access credentials were not revoked immediately—a serious oversight in offboarding procedures.
Another major vulnerability was the lack of insider threat monitoring. Had proper monitoring been in place, unusual access patterns—such as a former employee attempting to log in or modify systems—could have raised red flags before the attack escalated.
Physical security controls were also too weak. Even after being dismissed, the individual was able to physically enter the museum and access IT infrastructure. This raises questions about the museum’s security measures: How was the contractor able to re-enter the building? Were visitor logs and badge access controls properly enforced? Organisations often focus heavily on Cyber Security while overlooking physical security risks, but as this incident shows, both need to work together.
Lessons Learned From The Attack
- Immediate Offboarding is Critical – When an employee or contractor leaves, their access—both physical and digital—must be revoked immediately.
- Strengthen Physical Security – If an ex-employee can walk back into a restricted area, security controls need urgent improvement. Regular audits of visitor logs, stricter badge access policies, and enhanced physical security measures should be standard practice.
- Monitor for Suspicious Behaviour – Behaviour analytics, system access monitoring, and anomaly detection can spot red flags early and prevent incidents from escalating.
- Don’t Underestimate Insider Threats – It’s easy to focus on external cybercriminals, but insiders often have the access and knowledge needed to cause major disruption. A zero-trust mindset, layered security measures, and proactive monitoring can reduce these risks.
The British Museum breach wasn’t the result of sophisticated hacking techniques—it was a preventable failure in access management, monitoring, and security policies.
Let Us Help You Prevent Insider Threats
The British Museum breach is a stark reminder that insider threats can be just as damaging as external cyber-attacks. Weak offboarding processes, poor access controls, and a lack of monitoring create opportunities for security incidents that could otherwise be prevented.
At Equilibrium Security, we help businesses strengthen their defences through physical security testing, Cyber Awareness training, and proactive Cyber Security strategies. If you want to safeguard your organisation against insider threats, get in touch with our team today at 0121 663 0055 or enquiries@equilibrium-security.co.uk. Let’s work together to keep your business secure—inside and out.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
