For those of us old enough to remember, the classic comedy show Monty Python's Flying Circus had a series of skits parodying the Spanish Inquisition. The catchphrase “No one expects the Spanish Inquisition” was declared to explain the surprise when the trio of inquisitors suddenly appeared. I always think of this exclamation when I read about a company being pawned by a malicious employee. No one expects the insider!

But the larger question is “why not?”. Why is everyone still so shocked when a business is exploited through the effort of a bad employee? At some point it must be expected; you are going to be attacked from the inside. And shame on you if you fail to take (any) proactive steps to prevent it.

The most recent sensational insider threat story comes from the digital game provider Roblox. Allegedly, an employee was paid to provide access to Roblox records, including the backend customer service panel and player accounts. Joseph Cox has written a full expose for Motherboard (Vice).

I cannot dismiss the similarities between the current COVID-19 threat to human life and the threat of damage from cyber actors that businesses face every day – and have since they plugged into the Internet. Of course, it must be understood the stakes are much higher when humanity is facing down a deadly virus as the ultimate end can be death, not the loss of money, data, or reputation.

In the debate of when to “re-open” our now closed lives and return to “normalcy”, the news reporters and pundits often lament on the aspect of risk. But they rarely get it right.