The threat of insiders from a business’s workforce committing illegal acts such as compromising network operations or stealing critical data for the benefit of outside forces has been a major concern for many years and insider activity may be on the rise.
This paper looks at the causes behind this possible growth in employees collaborating with criminals and what cybersecurity officials can do to mitigate this concern.
The Insider Threat
Insider activity is possible at any organization, even those that require high-level security clearances for employment. Though financial gain or feeling disgruntled are the typical motivations to become an insider, there are other drivers such as when an individual is coerced or ideologically driven.
Recent surveys suggest the threat may be rising. A third-quarter 2022 study by consulting firm Kroll Holdings Inc. found insider threat accounted for nearly 35% of all unauthorized access incidents, which is an increase from 31% in the first quarter and 24% in the second. Kroll attributed the finding to the “great resignation” or the large number of employees who quit during the global pandemic, potentially leaving their employers with system access credentials or sensitive data. Other cyber experts have cited economic downturns as a possible impetus of insider activity for similar reasons. Emilian Papadopoulos, the president of Good Harbor Security Risk Management said during the WSJ Pro Cybersecurity Forum on November 30, 2022, that layoffs can lead to a greater insider threat.
Perhaps more worryingly, software company Hitachi ID highlighted in a survey from early 2022 how cybercriminals are seeking to recruit insiders to facilitate their attacks. Sixty-five percent of executives said either they or one of their employees had been contacted by hackers to act as an insider to facilitate ransomware attacks. This figure signified a 17% increase compared to a similar survey from the Fall of 2021.
Evolving Tactics
One ransomware gang cited for developing and popularizing the approach of recruiting insiders is Lockbit 2.0. The publication Bleeping Computer reported that the group offered “millions of dollars,” citing an online posting, to employees willing to assist its efforts to access their employers’ systems.
From the perspective of a ransomware gang, finding an accomplice on the inside can potentially make the initial compromise easier, but also increases the degree of complexity and risk in the attack by adding an additional party. Finding an individual at a target company willing to participate in such a conspiracy after a cold-call approach on social media, email or telephone and the individual trusting the criminals will pay their share afterwards cannot be an easy sell and WSJ Pro Research has not found evidence to suggest the attackers have been successful with this tactic.
A high-profile case of an attempt to recruit an insider in a ransomware scheme involved electric vehicle manufacturer Tesla Inc. Russian citizen Egor Igorevich Kriuchkov sought to bribe a Tesla employee, who he had met several years earlier, to conspire to breach and infect the company’s networks. The employee was to plant malware on the corporate network that would allow the attackers to steal corporate data and encrypt data. The attackers also planned a distributed denial of service attack to occupy the cybersecurity team.
The employee was offered $500,000 to participate, but instead reported the approach to Tesla officials who contacted the Federal Bureau of Investigation FBI. Mr. Kriuchkov was sentenced to 10 months in custody and fined $14,825 following his March 2021 guilty plea to conspiracy to “intentionally cause damage to a protected computer” and was deported to Russia in June 2021.
An honest employee may have been the only impediment preventing a major security breach with loss of critical data, a potentially large ransom payment, operational disruption and reputational damage.
In other cases, monitoring the use of technologies could potentially uncover nefarious user activity. Technology company Meta Platforms Inc. said in November 2022 that it was investigating some former employees for remaining in contact with other workers, for the alleged purpose of hijacking user accounts. The company fired or disciplined more than two dozen employees and contractors, some of whom allegedly accepted thousands of dollars in bribes in return for account access.
Mitigating the Threat
Minimizing the risk of damage and disruption from insiders should be a key part of every company’s cybersecurity strategy. Consider the following steps to address insider risk within your organization:
Reduce the opportunities for a major disruption by minimizing the number of employees with privileged access to the network.
Monitor internal activity for unusual changes or employees seeking to access data they do not require for their daily duties.
Third-party contractors with network access should be more closely monitored and have access only to the data required to do their job.
Balance employee training and awareness with software programs that can help to monitor suspicious activity. Managers should be alert to disgruntled employees potentially seeking to steal data and have a mechanism to report suspicions.
Remove credentials when employees leave the company. This may not be as easy as it seems when businesses are moving to the cloud and they’re not tied into the mainstream system.
