Most (95%) cybersecurity incidents were caused by human error last year, the World Economic Forum calculated. Such incidents appear to be spiraling, with the annual cost of cybercrime predicted to reach $8 trillion this year, according to Cybersecurity Ventures. If that wasn’t alarming enough, experts warn that bad actors within organizations are a growing security risk.
Some employees, manipulated and compromised through “social engineering,” might not even realize they are aiding and abetting criminals. Similarly, employers might not know they have been attacked, until it’s too late.
Worse, all too often, businesses — which are, in the post-pandemic era, being urged to provide greater autonomy to and trust in employees — are blindsided by this so-called “insider threat.”
So what exactly is an insider threat?
The Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security in the U.S., defines it as “the potential for an insider to use their authorized access or understanding of an organization to harm that organization.” And these can include “malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.”
In a nutshell, an insider threat refers to someone who steals data or breaks the internal systems of the organization they work for, for their own purposes. For example, in 2017, an administrator working for Dutch hosting provider Verelox, deleted all customer data and wiped most of the company’s servers. That’s a standard case, according to Paul Baird, the chief technical security officer in the U.K. for cybersecurity firm Qualys. But there are other risks to internal access too. “For some hacking groups, it is easier to find that disgruntled employee and persuade them to breach those internal systems than to get through the multiple lines of technical and physical defenses,” said Baird.
Are insider threats genuinely increasing?
Well, it’s important to stress that this was already a worrying problem before the pandemic. But now there is a sense that organizations are bleeding out more than ever. “There’s a huge growth area in insider attacks,” said U.K.-based Jenny Radcliffe, who goes by the moniker “The People Hacker.” She explained how “someone can be manipulated, coerced, bribed, within an organization — and obviously, if you’ve got someone on the inside, it’s much easier to conduct nefarious activities.”
The theory goes that this year, in a climate of financial uncertainty, workers will likely be harder up financially, more dissatisfied with stingy employers, and therefore more susceptible to turning to the dark side.
Andrew Tsonchev, vp of technology at cybersecurity firm Darktrace, said: “Economic hardships and especially the downscaling of workforces are obvious aggravating factors.” In addition, he pointed out that if a company has a distributed workforce, with employees scattered all over the globe, if and when redundancies are made, there is a “logistical challenge of retrieving your corporate hardware.”
The period between letting staff go and them returning their technology devices, and potentially still having access to the organization’s network, is when insider threat is at its most dangerous.
To what extent has hybrid working impacted insider threat?
The shift to hybrid working has made it harder to keep track of employees’ actions without adequate cybersecurity and monitoring tools. There are other concerns with managing a hybrid workforce in this context. “There may be less personal contact between team members, which can increase feelings of isolation, which can make insiders more likely to succumb to these kinds of advances from outside groups or just think that they are entitled to take something that is not theirs,” Qualys’ Baird said.
Disgruntled employees aside, who can be an insider threat?
Anyone, from the building janitor to C-suite members. Radcliffe, a world-renowned social engineer hired to bypass security systems through “a no-tech mixture of psychology, con-artistry, cunning, and guile,” said some may be working against their will. They might be being blackmailed to uncover sensitive information, for instance, by plugging a USB stick into a computer that will copy essential company data. “If criminals can find something on that person, their secrets, then it’s not too difficult to persuade them to do the wrong thing,” added Radcliffe.
She shared an example of how, a couple of years ago in London, a part-time cleaner on an annual salary of £15,000 ($18,350) was put in a bind. “The criminals said they would match her salary, but also, if she didn’t help them, they would tell the police and immigration about her,” Radcliffe added. “She actually hadn’t done anything wrong [in terms of her immigration status], but she was frightened enough to do what they said.”
How are cybercriminals approaching potential insiders to do the dirty on their employer?
Increasingly, by contacting them on social media platforms. New York-based Nathan Green, a senior subject-matter expert focused on cyber and the dark web at Dataminr, spotted almost 80 groups shifting to recruit on Telegram between April 2021 and July 2022.
The reason being it’s more accessible for non-technical people. “It’s much more difficult for someone to navigate the dark web, an unindexed area of the internet, where you need a specific URL,” said Green. Conversely, there would be a much larger audience on Telegram, which is not heavily regulated.
He pointed to some recent Telegram posts from a criminal group explicitly asking employees to help them in return for generous compensation. “They are effectively professionally hiring people to work for them,” Green added. “This no longer occurs in the shadows or the darkest corners of the web.”
Is there such a thing as “accidental” insider threats?
Yes. California-based Michelle McLean, vp of marketing at Salt Security, an Application Programming Interface (API) security firm, said: “The ‘accidental’ insider threat cannot be underestimated in today’s organizations where, essentially, all companies are becoming software companies.” She explained that organizations are “all rushing to code quickly, whether it’s to improve internal, customer-facing or third-party processes, and they’re using APIs to do this.”
McLean added that the downside is, if not properly secured, there can be a lot of “accidental” exposures from developer “insiders.” She said: “For instance, they might have written an API for an internal environment, and that environment is accidentally exposed – as seen in the Optus data breach [which involved the exposure of the personal data of 10 million of the telco’s customers,] which the company went on to earmark A$140 million ($98 million) to cover the cost of.”
Are organizations doing enough to limit insider threats?
Generally no, according to Tsonchev from cyber security firm Darktrace. “It is still the case that most companies are in a much poorer position to identify insider threat than other types of threat,” he said.
Tsonchev suggested there’s a “quantifiability problem” around this, too. “Due to underreporting, there may be more insider threats than companies are aware of, so breach disclosure statistics might not be accurate.”
Baird doesn’t believe it will ever be possible for organizations to mitigate the intentional or accidental insider threat completely. Zero-trust architecture is recommended, though. “Instead of assuming everything behind the corporate firewall is safe, the zero-trust model assumes breach and verifies each request as though it originates from an open network,” according to a Microsoft definition.
“Zero-trust architecture and approach to security will help, as well as technology like Data Loss Prevention or UEBA that can slow down that potential attack, or provide the information that an insider is the cause of issues like loss of service due to data exfiltration or servers or data being deleted,” added Baird.
It. may seem a cynical approach, not to automatically trust one’s employees to abuse their security access, but it’s becoming an increasingly necessary one. Tsonchev added: “A lot of insider threat-type scenarios would never even come across the radar of potential security incidents until they suffered some consequence from the selling of data or whatever it is somewhere downstream.”
This analysis chimed with Colonel Gérald Vernez, founder and director of Switzerland-headquartered digiVolution Foundation. He said when it comes to cybersecurity in general, most organizations are “satisfied with a tick-box exercise” and, concerningly, “don’t have a clue what you are talking about.” But Col. Vernez warned: “This lack of preparedness is one of the biggest problems we are facing.”
He said it was vital to “change the mindset from reaction to anticipation” and improve cybersecurity awareness across an organization so that more people could spot unusual activity quicker. “If you wait for the enemy to ring the doorbell, and can only answer with technology, then it’s definitely too late,” he said.