Earlier this month, Tesla became the poster child of the damage a single malicious insider can do to your company.
Tesla CEO Elon Musk sent an email to employees about an employee who allegedly “conducted quite extensive and damaging sabotage” to corporate operations, which included changing the code on Tesla’s operating system. The employee also was accused of “exporting large amounts of highly sensitive Tesla data to unknown third parties,” according to the email.
Malicious insiders tend to be the forgotten cog in security plans. After all, as the Verizon “Data Breach Investigation Report” (DBIR) 2018 revealed, 73 percent of all data breaches are caused by outsiders, so security systems focus on them. Even when we talk about insider threats, we’re most likely to think of them in terms of an employee clicking on a phishing link or making an error. Their “attack” is usually an innocent or uneducated mistake, and they make up 17 percent of data breaches, according to the DBIR.
Ten percent of serious security incidents are caused by malicious insiders, but they are the most difficult to stop. It isn’t that security systems aren’t set up to sniff out a potential problem employee; rather, they often are folks who already have the keys to the network kingdom. They have access to multiple areas of the network and databases; they know—and possibly helped develop—code and intellectual property secrets. When they are working on something, it is nearly impossible to tell if they are causing intentional damage.
“Insiders in high-tech organizations that have access to sensitive information and systems inherently pose significant risk to organizations,” said Steve Grobman, McAfee SVP and CTO, in an email comment. “One of the most difficult challenges for organizations is to mitigate these risks while maximizing employee productivity and effectiveness.”
Finding the Malicious Insider
How do you know if one of your employees is about to go rogue? You usually don’t. In the typical workplace, your employees are trusted users and you treat them that way, said Chris Morales, head of security analytics at Vectra. For example, he said, while on a corporate network, employees typically don’t need to perform the same extra authentication steps necessary to connect to services and applications that they do when they are connected from home. As a result, they can move around freely.
However, that trusted user also presents the highest risk because they have easy access to cause harm. What most employees don’t have is the motivation to be a threat—until something is triggered in them.
The trigger could be almost anything: The employee was turned down for a job promotion or a raise. The employee is being bullied or harassed by co-workers. The employee has relationship problems at home. Perhaps the employee was fired and is angry (and their network access was not terminated). There are often revenge factors at play when malicious insiders strike.
But sometimes it is a business deal for them: They are having money troubles. They receive an offer from a third party—a large payment in return for corporate theft or sabotage.
In the Tesla instance, Morales said, “the motivation sounds personal, and that is quite often the case in corporate sabotage.”
Leadership that is in tune with their employees may be able to see the warning signs of a potential malicious insider before they strike and take action before damage is done.
However, chances are we’re going to miss those signals. Malicious insider threat prevention, therefore, needs to be included in any security plan.
“In either the case of a cyberattacker, or a rogue employee who is an insider threat, enterprises benefit from internal monitoring that can detect suspicious behavior in order to prevent damage,” said Morales.
Monitoring such as detection technology that notifies IT if an internal user is trespassing in areas of the network where they don’t belong or if they are behaving in unusual ways, such as logging in outside of work hours or on a different device. Detection technology could alert you to disgruntled employee.
Access control is another avenue of protection. “By using change logs and setting up approvals for any code changes, you can add an additional layer of security to protect critical code,” explained Tim Roddy, VP of Cybersecurity Product Strategy with Fidelis Cybersecurity. “For organizations to protect themselves from exfiltration of highly sensitive data, data loss prevention on endpoints and primary network services is not enough. Organizations need to analyze all ports and protocols to prevent any blind spots.”
Even the best companies are going to have problems with malicious insiders. Being able to recognize rogue employees isn’t easy, so having the right tools in place to detect insider threats could be the difference between protecting your assets or making Tesla-like news.