When the Insider Is Remote: VPNs Increases the Potential Risk of Rogue Insiders

When the Insider Is Remote: VPNs increases the potential risk of rogue insiders

Remote work didn’t create the insider threat—but it scaled it.

In a hybrid world, employees, contractors, and admins can reach sensitive systems from anywhere. And for many organizations, the default mechanism is still the same: a VPN tunnel gated by a username and password (sometimes plus MFA). That approach is convenient, but it can quietly turn identity into the **first—and sometimes only—line of defense.

The result: when a trusted user becomes disgruntled, careless, compromised, or simply about to leave, the path to critical data may be as simple as “log in like normal.”

Insider threat by the numbers

Insider risk isn’t a niche issue. Multiple recent surveys point to it as a mainstream problem affecting most organizations:

• 83% of organizations reported at least one insider attack in the last year, and the share reporting 11–20 insider attacks jumped dramatically year-over-year (from 4% to 21%). (IBM)
• Insider incidents aren’t just common—they’re expensive. In the same reporting, 32% of organizations said recovery costs averaged $100k–$499k, while 21% reported costs of $1M–$2M. (IBM)
• 61% of organizations suffered file-related breaches caused by negligent or malicious insiders in the past two years, with an average cost of $2.7M per incident. (BetaNews)

Those numbers matter for one simple reason: VPN access extends the impact of insider actions. If a user can reach internal file shares, dev repositories, ticketing systems, or admin consoles from home remote, they can bypass traditional security controls and exfiltrate sensitive data.  

Why VPNs amplify insider risk

VPNs were built to solve a connectivity problem: “Make a remote device feel like it’s on the corporate network.” That design choice has security consequences:

1. Network-level trust is broad by default
   Once connected, users often gain access to many internal systems, such as share folders,admin portals, legacy apps, etc.
   That increases blast radius when the user has malicious intentions. 
2. Credentials become the control plane
   If the “decision” is primarily “Did the user authenticate?”, then anyone with valid credentials is effectively treated as legitimate—even if the context is wrong (new device, unusual geography, odd hours, massive downloads).
3. Offboarding becomes a race condition
   Layoffs, resignations, and terminations create a predictable risk window: users still have access, emotions may run hot, and defenders may be distracted or simply unaware that they must act swiftly to minimize the risk.
4. The insider/outsider line blurs
   A “trusted login” might be a real employee- or an attacker using stolen credentials, or someone enabled by an insider. The VPN doesn’t inherently tell you which. 

Notable incidents: when “normal remote access” becomes the breach path

Some recent incidents illustrate a recurring theme: legitimate access paths (accounts, passwords, remote connectivity) are often all that’s needed.

1) Intel: large-scale data theft during the offboarding window

In a widely reported case, Intel sued a former employee accused of exfiltrating a massive volume of sensitive files shortly before departure. According to several sources, the employee allegedly downloaded ~18,000 sensitive files near the end of July 2024, after receiving termination notice earlier that month. A first attempt was reportedly blocked by DLP controls, but a later transfer succeeded. He allegedly used of a network-attached storage (NAS) device connected to the work laptop/account to pull the files, meaning he had maintained remote connection after being terminated (PC Gamer). 

2) Opexus: post-termination access and destructive insider activity

Government contractor Opexus fired employees, and one of the individuals allegedly remotely accessed the company network minutes after termination, then proceeded to delete large volumes of databases and copy sensitive files tied to federal agencies. The reporting also highlights the company later acknowledging it failed to ensure the individuals could no longer access systems immediately upon termination. (CyberScoop)

3) Brazil an employee sells credentials and enables remote access

In a July 2025 incident involving Brazil’s PIX instant payment ecosystem, an employee at C&M Software allegedly sold his login credentials to hackers. Reporting says the attackers guided him through steps including creating separate accounts and enabling remote access contributing to theft reportedly exceeding $100M. (The Record from Recorded Future)

4) TSMC: alleged trade secret theft by employees (and the limits of “trusted access”)

TSMC employees (and at least one former employee) were arrested over allegations related to stolen intellectual proprietary and details of advanced chip development. The reporting notes this was tied to Taiwan’s amended National Security Act, with potential penalties including up to 12 years in jail and significant fines. (Tom's Hardware)

The core issue: credentials cannot be your only gate

Across these incidents, the consistent problem is that organizations treat authentication as authorization. VPNs made remote work possible at scale- but they also made it easier for insiders (and insider-enabled attackers) to operate with speed, anonymity, and reach.

ZeroPort Fantom Edge is a hardware-enforced, non-IP connection at the network boundary,  eliminating the risk of credential abuse and data exfiltration and theft by rogue employees. Contact ZeroPort today to schedule a demo.

‍