Public sector insider risk: the threat no one wants to talk about

You are a hospital director. A headmaster. A school superintendent. A social services director. A municipal CEO.

You did not ask for this responsibility. But you have it.

There is a real possibility that someone in your organization is consuming child sexual abuse material using work systems. You do not know about it. Your systems do not know about it. And that person has no intention of telling you.

In October 2025, a member of the Swedish parliament submitted a motion calling for public sector organizations to implement detection tools for exactly this type of risk. The question is no longer whether this problem exists. The question is who acts.

Because these individuals do not appear in any system.

Hidden human risk inside trusted environments

A documentary series recently released on Spotify, Barnläkaren (The Pediatrician), makes for deeply disturbing viewing. But it reveals something important: these individuals often look completely ordinary. And they actively seek out environments where children are present.

Healthcare. Schools. Social services.

It is a pattern that repeats.

A young pediatrician at a Stockholm hospital abused more than 50 children. He was not identified by IT security or internal systems. He was identified because parents called and said something felt wrong. The chief physician listened and acted.

That saved children.

But it is not a system. It is luck.

Police are clear in the documentary: perpetrators with a sexual interest in children actively seek out environments with access to children. And the cases are not isolated.

A school physician in Falun was sentenced to four years in prison after nearly half a million illegal images and more than 8,000 videos were discovered during a search of his home. The material included recordings filmed using a hidden camera during examinations. The tip came from Swiss police.

A psychiatrist convicted of serious offenses continued working as a locum physician across multiple regions during the investigation, downloading material during working hours.

As recently as March 2026, a physician at Region Dalarna was identified through international tracing efforts connected to Swedish IP addresses.

All were identified from outside the organization.

Not one was detected internally.

A person carrying this type of hidden vulnerability cannot safely go to their manager, to HR, to the police, or confide in colleagues. And the actors who seek out such individuals know this precisely.

This is what makes the issue larger than criminal behavior alone. It becomes an insider risk problem.

State actors from Russia and China have long been known to identify vulnerable individuals inside Western organizations for recruitment and coercion. They do not always need to hack systems. Sometimes they simply need to find the right person and apply pressure:

Give us access, or we expose you.

And that person becomes an access point into the organization.

Suddenly, personal identity numbers, diagnoses, social case files, medical histories, and protected information become accessible to actors who actively want to cause harm.

This is not hypothetical.

A man working at FMV with access to sensitive information connected to the JAS 39 Gripen program was prosecuted for serious sexual abuse of a child. Intelligence experts described him as a potential jackpot for a foreign power had they identified and recruited him. (TV4, 2021)

This aligns with a broader shift in cybersecurity itself. Verizon’s 2026 Data Breach Investigations Report highlights how human involvement continues to play a central role in modern breaches, whether through misuse, credential abuse, insider activity, social engineering, or coercion. NetClean was proud to contribute to this year’s report.

Download the report here.

Protecting citizens’ trust is part of the responsibility

Citizens have handed over their personal identity numbers, diagnoses, social case files, and their most private information to public sector organizations. Not because they chose to, but because they needed healthcare, education, or public support.

That trust is the foundation of the public sector itself.

It is not your fault that this risk exists. But it is your responsibility not to rely on instinct, luck, or external tips as your only defense. Not when systems capable of identifying severe hidden human risk already exist.