How Insider Threats Have Evolved
Spoiler Alert: The fixes haven't really changed.
As the workplace evolves, so, too, does its effect on employees. The impact of digital transformation on insider threat mirrors that of its effect on business transformation — greater speed, efficiency, and opportunity expansion. Unlike business transformation, however, when it comes to insider threat, these “gains” are a win for the criminals rather than the business.
In this piece, we’ll take a look at some of the new data and trends shaping workplace evolution and thus insider threat, and briefly cover a few mitigations.1
“Insider threat,” as it pertains to cybersecurity, is broadly defined as the potential for harm caused by an employee, business partner, supplier, or any other person with authorized and legitimate access to systems, data, and/or facilities. Insider threat is (or should be) a major concern for any business. Why? Because it’s insiders who already know their way around the organization. They’ve been granted access to the organization’s network and technologies, including devices, applications, and data repositories. They understand the types of data and information upon which the business runs. They have relationships with people inside the organization and may use those relationships to coax information. They likely know (at least some) workarounds for certain access or security controls (when those controls get in the way of efficacy).
There are four main types of insiders:
Malicious insider: These are the people with intentioned evil actions. They might be a disgruntled worker, someone who feels they’ve been wronged by the organization or a specific person in it. They have an ax to grind and use what’s at their disposal to steal or harm systems or data. For instance, this might be a salesperson who recently resigned because they feel they’ve been mistreated. They download their client list before moving to the next job, taking proprietary information outside the company. Or it could be an executive who leaks potential M&A information in exchange for future financial gain.
Unintentional insider: These people accidentally or unwittingly cause a security event. They might typo an email address or Slack username and send sensitive information to the wrong person. They might click on a link or email attachment, thinking it is legitimate, and trigger malware or have their credentials stolen.
Compromised insider: This is someone who has been bribed, blackmailed, or coerced by a third party who has malicious intent. The compromised insider may be acting against their will but feel they must carry out harmful actions to protect themselves, loved ones, or fellow employees.
Negligent insider: This type of insider is someone who doesn’t know the rules for acceptable use or ignores them to get work done. It might be a developer uploading sensitive data to GitHub in the name of efficiency or an employee putting a sensitive presentation on a personal laptop so they can work while on vacation.
What’s new with insider threat?
OK, you’ve read this far and are thinking: What’s new here? Well, so far, nothing. Just level setting, my friends. Let’s get to the meat, shall we?
According to the Gurucul 2023 Insider Threat Report, 74% of organizations say insider attacks have become more frequent. An equal number of respondents say they are “at least moderately vulnerable or worse to insider threats.”
A December 2023 report by CrowdStrike found that “Approximately 55% of the identified insider threat incidents involved unauthorized use or attempted use of privilege escalation,” and “approximately 45% of insider threat incidents involved insiders who unwittingly introduced risk to their environment through the unauthorized download of exploits or by downloading other offensive security tools for testing or training purpose.”
But, why?
There are so many reasons — too many to list in one article2 — why the risk of insider threats is increasing.
Digital transformation: We live in a hyper-connected world. Our personal lives and professional lives run on technology. Most of us have multiple devices that we use or cross-use. We connect to dozens or hundreds of apps daily. The more technology we have and the more data we put into it, the greater the chance for a leak or breach, intentional or unintentional. Growing attack surface = growing risk.
Data is currency; there is always something to be gained by it. This doesn’t always mean a person is going to weaponize data. In fact, mostly it’s not weaponized (despite the scary statistics published here). But if a person were so inclined or coerced into using data for harm, there’s plenty to choose from.
Social issues: Contentious topics like the wars in Ukraine and Gaza, gender politics, national politics, the environment, and more have wended their way into the workplace, dividing colleagues and creating tensions. An insider with a grudge or point to make could easily use sensitive or private business data as retaliation or retribution.
Anonymity: Many employees feel it’s easy to cover their tracks if they intend to abuse, misuse, or tamper with systems and data. Perhaps they haven’t met a forensic investigator. If they have, perhaps they know stealthier ways to hide in today’s network traffic messiness.
Work-life imbalance: Many employees work remotely and/or in hybrid environments. Along with it comes the co-mingling of work and personal devices, additional user accounts and access needs, and a general blurring of system and data use. Users can more easily make mistakes (if the threat is unintentional or negligence) or simply blame technology (“I’ve been hacked!” If the threat is intentional or malicious). What’s more, detecting insider threats is more difficult for security and ops teams because permissions have to be so broad to accommodate current working conditions.
Discontent in the workplace
Workplace unhappiness is higher than it’s ever been (Or, at least, it’s higher than has ever been expressed). Either way, people are unhappy at work, and unhappiness and stress can be a significant contributing factor to mistakes, carelessness, or the desire for retaliation. It can also make a person more prone to negative influence if the influencer promises personal or financial gain (“I can help you get a better job with a nicer manager and a higher salary”) or some sort of protection (“I won’t tell your boss you’ve been drinking at lunch if you just get me this one file…”).
Insider threat programs frequently stress the importance of…well…watching employees for elevated stress or unhappiness. Although increased unhappiness and stress in no way guarantee employee wrongdoing, any adverse change in behavior should be noted and delicately addressed before bad turns to worse.
Just how bad are we talking about?
The “Employee Happiness Index” report by BambooHR says employee job satisfaction has declined at a rate that is 10 times faster than in the previous three years!!!
Source: BambooHR
Separately, Gallup’s State of the Global Workplace 2023 Report shows that 6 in 10 employees are “quiet quitting” and “exhibiting record-high stress levels”. Further, according to the report, more than half of employees are currently job-seeking.
Some of the top reasons for workplace unhappiness cited in these and other recent reports include:
High stress caused by workplace demands or perceived poor management practices
Lack of recognized value or contribution by the employee’s colleagues, managers, or executives
High inflation with declining wage growth (ie., lower take-home pay)
The prevalence of layoffs directly or indirectly affecting employees
Return-to-office policies threatening work-life balance
UGH, just tell me what to do!
The good news is that there is little that’s actually new when it comes to reducing the risk of insider threat and deploying controls that can prevent it!
The bad news is that the advice is neither new nor sexy. It’s back to basics. Focus on the fundamentals. It is the cyber essentials that will pave the way to a more protected work environment.
Inventory and control of enterprise and software assets: These are the #1 and #2 on the CIS Critical Security Controls, and for good reason. Know what you have so you can monitor, manage, and measure it. For example, if you don’t know that a sensitive data repository exists, you probably don’t know when/if an employee is accessing it. You, therefore, can’t see that they’re downloading tons of data from the repository and exporting it to an external app or thumb drive. Lesson: You can’t remediate insider threats without knowing what systems, data, and users are involved.
Zero trust: Despite Tyler’s hate <GRIN>, zero trust is an important element in an organization's infrastructure security plan. Let me be clear: Zero trust is not a product but an approach, framework, or policies that result in identity-based, least privilege, and conditional access to (network-segmented) data and systems (all the things attackers, including insiders, are after). In today’s computing environments, zero trust = security. It’s the baseline upon which security teams should be architecting their networks.
Patch: We know that vulnerable hardware and software versions are leading entry points for attackers. While they are possibly less of a bright, shiny object to most insiders, someone with ample technical knowledge can use outdated versions to execute an insider attack. Fix vulnerabilities and identify and remediate misconfigurations. In other words, take away the easy access points.
Monitor for behavioral anomalies: Organizations must know their baselines before they can start looking for what may be going wrong. And in the case of insider threat, the signs might be very minor. Remember, insider threat is one of the hardest attack types to stop because these are people with legitimate access. But there are usually at least some signs that things are awry. Simple network traffic patterns, access requests, and data volumes are good places to start. More advanced organizations should deploy user and entity behavior analytics (UEBA) to identify individual user or user device anomalies.
Acceptable use policies (AUP): While a policy isn’t going to stop a determined criminal from anything, the hesitant or nervous would-be insider who is thinking about stealing, leaking, or tampering with data or systems may think twice if the organization has shone a spotlight on expectations and consequences of an intentional insider compromise. Be careful not to be overly strict about accidental compromise; we don’t want people doing stupid things, but accidents can happen — and they can happen to anyone. However, be very deliberate with wording around negligence. “I didn’t know I couldn't dump our product designs into ChatGPT” isn’t a scenario you want to deal with.
In short, insider threat is still insider threat. The things security and operations teams (along with HR, legal, and communications colleagues) have to do to mitigate the risk aren’t vastly different today than they were four years ago. However, our corporate environments have changed, and (apparently) not for the better. As a result, security and ops teams must be hyper-aware of the situation, work with business colleagues to put the data into context, and put an extra spotlight on the security fundamentals to ensure systems and data are more resilient to stealthy attacks from insiders than ever before.
Yes, I know it’s bad form to outline a problem as the main focus of an article. But let’s face it, the mitigations are the same this year as they were a year ago, five years ago. It’s back to basics, folks. Always back to basics.
Even if you’re me and overly verbose.
The other thing for Insider is you have auditors show up and ask the age old question to check the box " Do you have a DLP solution " with a twisted wink and a nod. The C level person of your choice, slaps their knee and says "Well of course I do." With a wink in return. Neither one realizing a DLP is not an Insider threat program. People, processes and technology, not just a tool that most C suite sees as a AV for words - yes I have seriously had a C level person tell me that is what they think data loss tools do.
Great post. Insider threat is a little bit of an oddity in the land of cyber risks I think, in the sense that we all know how much of a threat it is but somehow it ends up rarely being top of mind.