3 Key Takeaways
- Most insider risk comes from disengagement and broken promises that breeds complacency.
- Every employee has a written employment contract — and an unwritten psychological contract. Leaders break the latter by tone, decisions, and neglect, destroying compliance, IP protection, and security culture.
- Fixing insider risk is a leadership and culture job: rebuild trust, design human-centred security, and make psychological safety non-negotiable.
When Everyday Shortcuts Turn Into Insider Incidents
Let me start with something I’ve seen more times than I care to admit. Picture a mid-sized Australian tech or engineering business. Solid team, tight deadlines, not enough hours in the day. One of the long-serving employees — let’s call him Sam — quietly stops using the secure file transfer process because it slows everything down. He’s not trying to cause trouble; he’s just trying to keep up.
Over time, that workaround becomes the “unofficial way we do things.” No one corrects it, and Sam assumes it’s fine — until a contractor’s system gets compromised and sensitive design files leak. Suddenly a behaviour that once looked harmless triggers a full-blown insider incident.
This is exactly how most insider events begin in SMBs: not with a malicious actor, but with a frustrated, overloaded employee taking the path of least resistance because the environment around them makes compliance feel optional.
Insider Incidents Hit Business Where It Hurts
The Australian numbers back what many of us see on the ground. Insider risk isn’t a fringe problem — it’s now one of the core business risks facing high-tech SMBs.
The OAIC recorded 1,113 data breaches in 2024, the highest since mandatory reporting began — and 30% were caused by human error, not hackers.¹ Another 5% came from malicious or rogue insiders.¹
And when these incidents involve knowledge leakage or sensitive IP — the kind of material SMBs rely on — the average cost is US$2.8 million per incident (~AU$4.2 million).⁶ That’s not theory; that’s the financial reality for knowledge-intensive organisations when someone bypasses a process, uploads the wrong file, or shares information through an insecure channel.
Insider risk isn’t just a cybersecurity issue. It’s a direct business cost — lost trade secrets, disrupted projects, contract delays, and expensive remediation.
Insider Risks Rise When Psychological Contracts Break
Here’s the part leaders don’t always see — and in my 20 years of dealing with insider risk, it’s the uncomfortable truth that makes all the difference.
Complacent employees don’t disengage instantly — they fade. Insider risks don’t start with bad intentions. They start with small cracks in the relationship between people and leadership. When workloads become unsustainable, communication dries up, people leaders get overloaded, or priorities shift without explanation, employees don’t lash out — they withdraw. They get quieter. They worry about their future. And eventually, they look after themselves first.
The psychological contract breaks long before the written one. This unwritten agreement — built from tone, fairness, growth opportunities, and leader behaviour under pressure — dictates whether people follow processes willingly. When it breaks, employees stop going the extra step. They cut corners. They tune out. And that’s when insider incidents begin.
In other words: insider threats don’t emerge in a vacuum. They emerge when the workplace environment makes compliance feel difficult, unrewarded, or irrelevant.
What Leaders Can Do (Four Practical Moves)
Insider risk management isn’t a technical challenge — it’s a leadership discipline. Technology helps identify where problems are bubbling, but it can’t fix the human root cause. Here’s how to turn the tide:
- Create Psychological Safety
People need to feel safe admitting mistakes, raising concerns, and reporting anomalies. If teams fear judgment or consequences, they will stay silent — and silence is where insider incidents hide. - Design Human-Centred Security
Controls must actually work in the flow of real work. If security friction becomes overwhelming, people will bypass it. Middle managers must be involved in redesigning processes so controls support productivity, not fight it. - Lead Through Uncertainty
During restructures, cost pressure, AI disruption, or operational change, employees look to leaders for meaning and direction. Clear communication prevents fear-based behaviours that increase both accidental and malicious insider risk. - Rebuild the Psychological Contract
This isn’t about perks — it’s about predictability, fairness, respect, and care. People need to see a path forward, feel valued, and believe leadership behaviour matches the organisation’s stated values. When the psychological contract is healthy, compliance becomes natural — not forced.
Conclusion
Most insider risks don’t rise because employees suddenly become untrustworthy. They rise when leadership, culture, and work conditions drift in ways that make compliance harder, not easier.
If we want to reduce insider events in Australia’s high-tech SMB sector, adding more controls isn’t enough. We need to understand the human dynamics that cause people to break them — often unintentionally.
And that starts with leaders.
Further Reading
- Curwell, P. (2023). 6 steps to improving security and integrity culture in the workplace
- Curwell, P. (2025). Hiring From Competitors? You Could Be One Lawsuit Away from a Legal Nightmare
- Curwell, P. (2025). Worker Mistreatment – the hidden threat to your business
- OAIC (2024). Notifiable Data Breaches Report – January to June 2024.
- Intelligent CIO APAC (2025). Insider Threats Driven by AI Expected to Surge in Australia.
- Insurance Business Magazine (2024). Insider Threats Outpace External Risks for Australian Firms.
- Australian Institute of Criminology (2024). The Cost of Espionage to Australian Businesses.
- ArXiv (2023). Knowledge Leakage in Knowledge-Intensive Organisations: Quantifying Cost and Impact.
