Cybersecurity and bad actors: who's committing these crimes?

Internet fraud and cyber security threats are an ongoing problem, routinely initiated by bad actors or a cyber threat actor (CTA).  These bad actors can be one person, or a group, that intends malice or harm to computers, computer systems and networks.  They are cybercriminals that use techniques such as hacking, phishing and other scams for variety of malicious reasons and often for personal gain.  Bad actors, or CTAs, can be both external and internal to an organization.  It is important to stay cyber security vigilant across all levels of your company.

Identifying bad actors

There are different types of bad actors that include, but may not be limited to the following:

Cybercriminals ― People who use malware, ransomware, and phishing scams for personal or financial gain.

Hackers/activists (“hactivists”) ―  People who are activists and will attack systems to try to find damaging information about a company or person to help prove and spread their ideology or message.  They may also look for ways to possibly disrupt business or shut down a company for their own publicity. 

Internal bad actors ―  These are people who may be a current employee, a former employee, a contractor, or others who may have, or had, some system access that allows them to circumvent security measures and help them engage in an internally driven cyber attack for personal gain, revenge or even sabotage.

Governmental bad actors ―  These are people from foreign sources who are funded by governments to conduct a cyber attack and computer espionage to try to discover confidential information for political purposes or financial gain.

Cyberterrorists ―  These include people whose primary goal is to attack and cause damage or disruption to critical networks and computer systems.  Their attacks will focus on entities such as municipalities, water supplies, utilities and the power grid.

Bad actor prevention tips

To prevent bad actors from becoming successful in their attempts to attack your network or computer systems, it is important to consistently maintain active and up-to-date cyber security best practices.  These best practices should include:

  • Routine password changes
  • Background screening for those allowed computer access
  • Automatic time-outs with sign-off requirements when users are away from their desks
  • Immediate termination of computer access and return of critical equipment when an employee leaves or is fired

Be careful of providing valuable personal data online.  Avoid cute schemes or social media questionnaires that could lead a bad actor to learn more about you personally and that can help them guess passwords.

Be careful about online communications with people who may conceal their true identities.  They may try to act as a trusted source, an expert, a subject matter consultant and even a confidante to trick you into providing sensitive and confidential information about yourself and/or the company you work for.

Be wary of “advance-free” demands or so-called “emergency situations” where you must provide advance payment or “something bad will happen” to you, a family member, or a friend. 

Understand that “social engineering” happens when cybercriminals use carefully worded emails, voice messages and text messages to convince people to transfer money, provide sensitive information or even download files to their computers.

How to manage a data breach by a bad actor

Be sure to have a business continuity plan already in place.  An updated and documented plan for any potential data breach will help you and your company address the situation in a timely and organized manner.

When the data breach occurs, consult with your IT team and data forensics experts to help you learn more about the breach and then try to immediately secure all related areas.  This would include changing all access permissions right away and updating user credentials and passwords.

Check your company’s online presence and remove any information that may have been posted online because of the data breach and hack. 

When the immediate threat has been controlled, then work with your team to strengthen your computer systems and networks, identify any further vulnerabilities, and strengthen all other defenses against future attacks.  Once a cybercriminal is successful, they may revisit your networks to see if they can do it again.

Additional resources

The Department of Homeland Security, Cybersecurity & Infrastructure Security Agency (CISA) regularly updates their website for the Top Routinely Exploited Vulnerabilities by Cyber Threat Actors.  More information can be found via the following link:  Top Routinely Exploited Vulnerabilities | CISA

According to CISA, best practices include updating software versions as soon as patches are available.

The CISA also indicates that “attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.”


This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation. By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

LC 2022-224