Unseen Moves: The Chessboard of Human Intelligence Source Management
Clue has released a new report exploring the growing risk of insider threats and how organisations can build intelligence-led capabilities to prevent them before harm is done.
As insider incidents grow in scale and severity – from data leaks and sabotage to ransomware and espionage – Insider Threat Assessment: The Case for Intelligence-Led Prevention highlights the urgent need for a proactive, joined-up approach to this rising security challenge.
In the report’s foreword, Matt Horne, Director of Intelligence & Investigations at Clue, writes:
“Insider threats are not merely technical anomalies – they are intelligence failures. Failing to anticipate, contextualise, and understand insider behaviour is a failure to see the full risk picture.”
Drawing on real-world case studies from policing, defence, and corporate security, the report reveals how traditional detection tools often miss key warning signs and how organisations can move beyond reactive response to strategic prevention.
The report explores:
- The evolving motivations behind insider behaviour—from ideology to coercion
- Critical case studies from national security and corporate environments
- A behavioural-led framework for risk detection and cross-functional response
- Why traditional tools like SIEMs are falling short
- How Clue enables integrated, intelligence-driven insider threat prevention
Insider threats are no longer fringe risks – they’re a mainstream security challenge impacting governments, businesses, and institutions alike. The report calls on organisations to rethink outdated approaches and embrace intelligence as a core function of insider risk management.
The report is available to access here.
Ransomware attacks are no longer the exclusive domain of faceless hackers exploiting remote digital vulnerabilities. Increasingly, they hinge on a more accessible and exploitable asset: insiders. Whether negligent, compromised or complicit, employees, contractors and third-party partners are now central to the ransomware threat landscape.
Rethinking the narrative
The traditional story of ransomware centres on brute-force attacks, phishing or vulnerability exploitation from the outside. But recent high-profile incidents reveal a more complex picture – one where the “attack surface” includes people inside the organisation. Social engineering, third-party compromise and credential misuse are the new frontlines of ransomware campaigns.
The insider factor in ransomware: sector highlights
Retail sector
Marks & Spencer (April 2025)
The Scattered Spider group impersonated M&S IT staff to bypass service desk protocols. By disabling multi-factor authentication, they deployed ransomware that disrupted online shopping, payments and loyalty systems – wiping £300 million from operating profits and £1 billion from market value.
Co-op Group (April 2025)
A ransomware attack exploited third-party vendor vulnerabilities to access and compromise Co-op’s back-office and customer service systems, exfiltrating sensitive data and crippling daily operations.
Harrods (April 2025)
Although ransomware was not deployed, a thwarted attack prompted a lockdown of internet access across Harrods’ sites. The attempt exposed weaknesses in third-party access control and the importance of insider vigilance.
Victoria’s Secret (UK) (May 2025)
A ransomware attack took systems offline for days and delayed financial disclosures. Internal credential mismanagement provided the entry point.
Law enforcement sector
Greater Manchester Police (September 2023)
Over 12,500 staff had personal data compromised when ransomware targeted their ID card supplier. Exposed information included names, photos and badge numbers – valuable assets for coercion or impersonation.
Metropolitan Police (August 2023)
A third-party supplier breach led to unauthorised access to sensitive personnel records, raising concerns over both officer safety and insider exposure.
Eurofins Forensics (June 2019)
The ransomware attack that halted forensic services across the UK forced law enforcement to delay thousands of investigations. Reports indicate the ransom was paid to restore operations.
Healthcare sector
NHS 111 / Advanced (August 2022)
Attackers used a compromised third-party credential to deploy LockBit 3.0 ransomware, disrupting ambulance dispatch, referrals and mental health services. The impact lasted weeks, and data exfiltration was confirmed.
Local government
Hackney Council (October 2020)
Pysa ransomware actors exploited a dormant internal account and an unpatched vulnerability, crippling council services from housing to benefits. The recovery cost exceeded £12 million.
Redcar & Cleveland Council (2020)
A phishing email led to a total systems lockdown and weeks of manual operations. The financial impact surpassed £10 million – all triggered by a simple staff mistake.
What ransomware groups look for in insiders
Ransomware operators increasingly exploit:
- Financially vulnerable individuals – those under economic stress are more susceptible to coercion or bribery
- Privileged access holders – admin-level users offer the fastest route to mission-critical systems
- Disgruntled employees – workplace dissatisfaction can drive malicious intent or indifference to risk
- Third-party vendors – external partners with internal access, often less monitored, are easy prey
Why traditional cybersecurity falls short
Security protocols typically assume threats come from outside. This leaves insider actions – whether malicious or accidental – dangerously under-monitored.
Key shortcomings include:
- Trusted status – insiders bypass many traditional cyber defences simply by operating within the perimeter
- Limited behavioural monitoring – subtle anomalies like off-hour access or unusual data transfers may not raise alerts
- Under-scrutinised third-party access – external partners often enjoy extensive access with limited oversight
An intelligence-led insider risk strategy
To counter this evolving threat, organisations must adopt a more holistic, intelligence-driven approach:
- Behavioural analytics – leverage tools that detect deviations in user behaviour and access patterns
- Cross-functional collaboration – align IT, HR, compliance and security teams to create a unified risk profile of users
- Third-party risk management – rigorously vet and continuously monitor vendors, especially those with privileged access
Reframing the ransomware risk
Recent incidents involving M&S and Harrods make one thing clear: ransomware is no longer just a cybersecurity problem – it’s a human and operational risk. Defenders must understand that ransomware may not start with a firewall breach. It could begin with a message to an employee’s personal device, or a compromised contractor logging in with trusted credentials.
Want to stay ahead of insider threats?
Access our latest Insider Threat Assessment to understand why insider risk is increasing and why traditional cybersecurity tools like SIEMs aren’t enough. This report uncovers a new intelligence-led approach for early detection and prevention.
Inside you’ll find:
- The evolving tactics and motivations behind insider incidents
- Real-world case studies from government, law enforcement, defence and private sectors
- Why insider threats often evade traditional cyber defences
- A practical framework for behavioural monitoring and cross-functional response
- How Clue enables organisations to uncover hidden risks through integrated intelligence
Get the full report and strengthen your insider risk strategy today.
On June 3rd, Clue Software convened a high-level Public Sector Economic Crime Leadership Event at the TLT headquarters in London. Bringing together senior figures from across government, law enforcement, and regulatory bodies, the closed-door session addressed one of the UK’s most pressing challenges: economic crime.
Chaired by Ian Dyson QPM, former Commissioner, City of London Police, distinguished attendees included senior leaders from:
- City of London Police (COLP)
- Department of Health and Social Care (DHSC)
- National Economic Crime Centre (NECC)
- NHS Counter Fraud Authority (NHSCFA)
- Serious Fraud Office (SFO)
- Insolvency Service
- Driver and Vehicle Standards Agency (DVSA)
- Public Sector Fraud Authority (PSFA)
- HM Revenue & Customs (HMRC)
- The Office of Trade Sanctions Implementation (OTSI)
- TLT
Hosted by Clare Elford, CEO of Clue Software, the event was held under the Chatham House Rule to encourage open, candid discussion and cross-sector collaboration. The day concluded with a private dinner, reinforcing relationships and dialogue among stakeholders committed to combating economic crime.
The following insights reflect the key themes and takeaways shared across sectors during the event.
Urgency, scale, and public confidence
Economic crime accounts for nearly half of all reported crime in the UK, with estimated public sector losses reaching £59 billion annually. The scale of the threat – from individuals to organised crime groups and state-level actors – poses systemic risks to financial stability and public trust. A shared understanding emerged: economic crime is not a victimless offence, and failure to respond effectively undermines confidence in policing and public services.
The need for crime prevention as the core mission – not just detection and prosecution – was reaffirmed, supported by credible strategies, resourcing, and partnerships.
Technology, AI, and the changing threat landscape
Criminals are adopting advanced technologies at pace, exploiting AI, digital platforms, and commercially available fraud tools. Financial services organisations remain under pressure, often lagging in tech adoption due to regulatory constraints and governance layers.
Key threat trends include a rise in ‘CEO’ and impersonation scams, social engineering powered by AI, and fraud-as-a-service operations. With 80% of fraud now originating online and 70% of it linked internationally, the case for cross-border, tech-enabled collaboration is more urgent than ever.
Civil vs. criminal approaches
There was consensus that disrupting economic crime requires flexible tools – including both civil and criminal powers. Asset tracing, sanctions, and regulatory enforcement are increasingly used to tackle high-impact targets and enablers. However, deploying these tools effectively demands new skill sets, cultural change, and clearer decision-making frameworks across public sector bodies.
Civil action can deliver faster, more scalable outcomes – particularly in cases involving complex financial structures and international actors – but remains underutilised.
Coordinated disruption and poly-criminality
Strategic case studies, such as Operation Destabilise, highlighted the power of coordinated multi-agency disruption. Targeting crypto-enabled laundering networks linked to ransomware, drugs, and sanctions evasion, the operation resulted in significant arrests, asset seizures, and global enforcement actions.
These examples show the growing convergence of threat types and the critical importance of targeting enablers – individuals, infrastructure, and services – to deliver broader system impact.
Partnership, talent, and innovation
Across agencies, challenges persist around recruitment, retention, and skills development. Initiatives like the City of London Police’s Economic Crime Academy and secondment programmes and alignment to the Government Counter Fraud Profession were cited as promising models. There is strong support for professionalising economic crime functions and enhancing interoperability across public bodies.
Public-private partnerships emerged as a critical enabler – particularly in complex investigations. Technology platforms like Clue are helping bridge resource gaps, improve intelligence sharing, and accelerate investigations, but more strategic investment and longer-term procurement thinking are needed.
Measuring success and driving change
The event highlighted a shared recognition of the need to better communicate the meaningful impact made by those combating economic crime in the public sector – whether through criminal sanctions, civil recovery, or a combination of both.
A clear call to action emerged: greater collaboration between the public and private sectors is essential to strengthen prevention and disruption strategies. This includes sharing intelligence, pooling resources, and aligning incentives to address the root causes and enablers of economic crime.
Notably, insight from the banking sector underscored the power of regulation in driving action – emphasising that, as a regulated industry, they prioritise controls they must implement, not just those they should. This prompted reflection on whether a similar regulatory clarity and enforcement could help focus public sector investment and commitment to counter-fraud functions.
Clue is proud to support the agencies and individuals leading the fight against economic crime. If you’d like to learn more about our work, technology, or how we’re supporting the public sector, please contact us or visit our website to explore Clue for Economic Crime.
As the UK faces an increasingly complex and volatile border environment, we’ve released a comprehensive new report, Securing the UK’s Maritime and Border Domains: The Imperative for Integrated Intelligence. The report explores the evolving threat landscape and provides a roadmap for a smarter, intelligence-led approach to national security.
From hostile state activity and grey zone operations to AI-enabled smuggling and insider threats, the UK’s border and maritime sectors are under intense pressure. As highlighted in the report’s foreword by Matt Horne, Director of Intelligence & Investigations at Clue, “The risks facing the UK’s borders and maritime domain have never been higher.”
Drawing on insights from law enforcement professionals, intelligence experts, and data from agencies such as the National Crime Agency (NCA), the report outlines the top five threats facing UK border security, including:
- Irregular migration and organised immigration crime
- Hybrid threats to critical infrastructure
- Sophisticated smuggling operations
- Insider infiltration at ports and customs
- Criminal exploitation of AI and emerging technologies
In the report, Matt warns that “AI is not just a tool for enhancing efficiency; it’s becoming a weapon in the hands of those seeking to exploit border vulnerabilities.” The document details how criminals are now using deepfake technology, AI-guided drones, and even impersonation of officials to bypass security systems.
In response to these evolving threats, the report calls for an integrated, intelligence-led approach to security. “Success depends on robust multi-agency coordination, seamless international cooperation, and the timely, effective sharing of intelligence,” Matt writes.
The report underscores the importance of breaking down data silos between agencies and equipping frontline personnel with the tools they need to act decisively. It makes a strong case for technology as an enabler of cross-agency collaboration, particularly platforms like Clue’s, which support secure, scalable case and intelligence management.
Available to access here, this is essential reading for professionals in national security, immigration, customs, maritime enforcement, and anyone responsible for safeguarding the UK’s borders.