Another Look at Insider Threats

In the past week, a European headline proclaimed that a security researcher was arrested after data on every adult in Bulgaria was hacked from a government site.

Back in March, this Dark Reading article gave three examples of “common insider threats” which include:  

  • A former Goodwill employee stole $93,000 from the charity by faking payroll records.
  • A rogue Tesla employee broke into the company’s manufacturing operating system and sent highly sensitive data outside of the firm.
  • Uber’s 60-person crisis team is dealing with 1,200 severe incidents reported to the company weekly, including verbal threats, physical and sexual assault, rape, theft, and serious traffic accidents.

That same Dark Reading article goes on quote an Endera survey of over 200 executives (with more than 1,000 employees in their organization) which found:

  • 63% of respondents stated they experienced financial loss and loss of sensitive data.
  • 60% shared that customers’ trust in the organization decreased and that the organization’s reputation suffered.
  • 59% reported declining workforces’ confidence in the organization’s ability to keep them safe and that employees left the organization as a result of these incidences.

In 2018, private healthcare company Bupa was the victim of an employee breach and it has since been issued with significant fines by UK regulators for ‘systematic data protection failures’ after an employee attempted to sell 500 million client records on the dark web.

Insider threats are not new, but are cyber risks to businesses growing due to staff (with access) misusing information? Many say yes.

As changes to technology and digital transformation are required to survive heading into the 2020s, what are important trends to watch regarding internal cyber risks?

Most important, what can the public and private sector do now to address evolving insider threats?

New Ponemon Research Study Offers Answers

A report was recently released by the Ponemon Institute entitled, “Managing the Risk of Post-breach or ‘Resident’ Attacks.” Here’s an excerpt:

“Ponemon Institute surveyed 627 IT and IT security practitioners in the United States to understand how well organizations are addressing cyber risks associated with attackers who may already be residing within the perimeter, including insiders that might act maliciously. In this study, these are referred to as ‘post-breach’ or ‘resident’ attackers.

The findings consistently show that organizations do not fully understand the risks associated with this type of threat, are unprepared for resident attackers, and have little ability to discover and remove them.

Capabilities to preempt, detect, and respond to post-breach, resident threats need to be strengthened across the board:

  • Organizations have low confidence in their ability to prevent serious damage from these attacks
  • Senior leaders lack understanding of the threats and do not clearly communicate business risk
  • Most organizations lack the ability to detect resident attackers, particularly insider threats
  • Capabilities are low to prevent attackers from finding connections and credentials that enable lateral movement
  • Incident response appears to be the weakest link in the threat-handling chain
  • Investments in most areas will increase, but the budgets are shifting significantly toward threat detection…”

  An article posted on Security Boulevard about the report wrote that a key finding is that the ability to detect “stealth” attackers is lower than it should be. Only 42 percent of respondents say their IT security team is doing a good job at detecting whether a staffer is acting maliciously. When it comes to identifying abnormal activity and resource usage, the team’s effectiveness is lower, according to 38 percent of respondents.

Detection of insider threats is also slower than it should be. While more than half of respondents believe they have reduced dwell time in the past year, 44% either have not or don’t know.

Another recent article by Computer Business Review (CBR) offers several tips for managing insider threats with a formal program that starts when a new employee is hired, correlating intelligence from multiple sources, examining “high risk moments” and a close look at situational context.

Not New: More Background Perspectives On Insider Threats

No doubt, this insider threat topic is far from new. Spy stories go back decades, and I have written and spoken about different aspects of this topic many times over the past fifteen years. Here a few of those pieces:

And while management may feel that acceptable use policies are clear, even in government, regarding “no presumption of privacy” on work networks, many others feel that management is “spying” on you in unprofessional ways that harm trust.

This recent article on “The new ways your boss is spying on you” from the Wall Street Journal received a lot of comments in social media. Here’s a quote: “It’s not just email. Employers are mining the data their workers generate to figure out what they’re up to, and with whom. There’s almost nothing you can do about it. Your employer may know a lot more about you than you think.

The tone of your voice in a meeting. How often you’re away from your desk. How quickly you…“

Do Some Employees Who Are Trying To Help Become Scapegoats?

There are certainly other perspectives on this insider threat topic that can also be explored. For example, regarding the first story listed in this article about the researcher in Bulgaria, some cyber expert(s) online feel that he (or perhaps others in a similar situation) were unfairly framed for problems they uncovered. In a LinkedIn thread where we discussed this case, this public comment was made by one individual (describing the life of a researcher / ‘white hat’ hacker for good): 

“I see this happening to multiple friends and it has happened to me on numerous cases (theft of IP, reports, research and attempted shaming). The hours of research we invest with no pay with some institutions is very real and even after sending the data you sometimes get a thank you, most often you don’t. I didn’t get framed or arrested but that thought is always at the back of one’s mind because of cases like this and similar ones where I personally knew the other side. Whether this changes things or doesn’t is the actual thought I am concerned with. How can any of us tell those we mentor to do the right thing when finding security issues can and does sometimes get turned around because the said company or agency messed up and didn’t have processes and procedures in place to do things correctly? These events are dangerous because either side can be right and we have no idea what the actual truth is. Truth is something we need to have, trust is another. Both are missing because of an artificial sense of competition when there is no real lack. If you did something wrong, admit it, learn move on. Blaming someone else and avoiding the truth of the matter to blame someone else is not the way of achieving what we really need.”

Closing Thoughts

 This past week I participated in a BrightTalk global webinar called:  Breach Protection – Addressing the Human Factor. (You can watch this for free, if you sign up with BrightTalk.) The others on the webinar were:

  • Joseph Carson, Chief Security Scientist, Thycotic (speaking from Estonia)
  • Rick Holland, CISO, Digital Shadows (speaking from London, UK)
  • Shlomi Gian, CEO, CybeReady (speaking from Israel)

While most of the discussions were about improving the situation with inadvertent (non-malicious) insider threats, such as staff clicking on phishing links and other problems like system authentication and controlling access to data, the topic of malicious insider threats was also raised. I urge you to take time to watch the discussion and learn more. We highlighted what an effective monitoring program looks like.

One significant new threat mixes internal and external aspects of cyberthreats when attackers gain inside access to your peer’s account, thus trying to make an attack look like they are coming from friends and /or colleagues. In a sense, this is like old viruses that took over inboxes years ago and spread sideways to contacts.

These blended threats make it hard to differentiate what is an internal or external attack, and this article from Forbes covers some of the top phishing threats we face in 2019.

I certainly will be coming back to this topic in 2020 and beyond, but for now I leave you with these intriguing quotes:

“One enemy can do more hurt than ten friends can do good.” Jonathan Swift


“Forgive your enemies, but never forget their names.” John F. Kennedy