In today’s digital age, organizations know the importance of preparing for cyber attacks and data breaches. Too many, however, focus only on outside cybersecurity threats, even though insider threats are very common.
In fact, according to one Ponemon Institute survey, the number of insider incidents spiked by 47 percent from 2018 to 2020. The total cost of insider threats increased from $8.76 million to $11.45 million, and cost organizations more than $700,000 per incident. Insider security threats are a huge challenge for organizations because such threats are hard to detect and even harder to eliminate.
The good news is that companies can minimize this risk. First they must understand the sources of these threats, and then implement strong security measures to stay one step ahead.
This article deep dives into the problem of insider threats and explores seven real-world insider threat examples to help guide your threat prevention and data security strategies.
What Is an Insider Threat?
An insider threat comes from a trusted individual or privileged user who is authorized to access your organization’s IT assets and information. These users could include insiders such as employees; or outsiders, such as vendors, contractors, associates, or business partners.
Any of these users may deliberately or accidentally leak sensitive information, exfiltrate company data, or compromise enterprise systems, leaving them vulnerable to attack. A trusted insider with continued access to sensitive data can pose a security risk even if the insider is no longer associated with the company.
Insider threats can damage your organization in many ways:
- Data theft
- Disclosure of trade secrets
- Business disruptions affecting productivity and profitability
- Financial losses
- Reputational damage
- Loss of customer trust
- Regulatory fines
- Loss of competitive edge
- Falling share prices
To protect your organization, you need to take security precautions to mitigate the risk of insider threats. You should also limit access to enterprise assets whenever possible and monitor what users with legitimate access can do with the resources they’re permitted to access.
It’s also crucial to educate employees on good cybersecurity practices, to create a cyber-aware culture and reduce the risk of insider security incidents.
We will explore these strategies in detail in a later section. First let’s understand the source of insider threats and look at some real-life insider threat examples.
Types of Insider Threats
Three types of insider threats may affect your organization:
- Malicious insiders
- Negligent insiders
- Compromised insiders
Malicious or criminal insiders purposefully damage IT systems, steal trade secrets or intellectual property, breach data, or do something that increases the risk of a cyber attack.
They may be ex-employees who were fired for poor performance, disgruntled employees seeking revenge, or existing workers coerced into carrying out a cyberattack by a competing firm or a nation-sponsored hacker.
Malicious insider threats are hard to predict and detect because companies usually don’t have enough information about them. While malicious insider threats account for only 14 percent of incidents, it is still significant enough to warrant concern.
Negligent insiders are the most common insider threat. They account for the solid majority (62 percent) of incidents and are responsible for the highest average cost per incident ($4.58 million).
These people unintentionally introduce security weaknesses into the organization. They lack malicious intent, such as revenge, cyber-extortion, corporate espionage, or the expectation of financial gain. They do still increase security risks, however, because they are careless, don’t practice good cybersecurity hygiene, or are unaware of the dangers created by their actions.
For example, an employee may connect a malware-infected USB device to a business computer. Or he or she might use weak passwords that allow threat actors to gain unauthorized access to enterprise systems or exfiltrate enterprise data.
In this context, the word “compromised” does not mean pressured by external parties via, say, blackmail. Here we mean “compromised” as in using compromised technology. Like negligent insiders, compromised insiders are rarely malicious. They can cause serious cybersecurity issues, due to:
- Risky actions
- Lack of awareness
- Lack of cybersecurity hygiene
- Stolen credentials
For instance, a compromised insider may click on an infected link and enter his or her login credentials into a fake website that attackers can then steal and use to attack the organization.
In 2020, 89 percent of hacking attempts into web applications involved credential abuse or theft. Or a compromised user may download a malware-infected attachment from a phishing email, allowing cybercriminals to hack into your network to compromise it.
7 Real-Life Examples of Insider Threats
The negligent Microsoft employees whose actions led to the leak of a customer support database
In 2019 Microsoft employees made misconfiguration errors on a new version of Azure security rules. They were lax about monitoring user records and activity with sensitive assets. In addition, they didn’t limit access to a customer support database with a strong password or two-factor authentication.
The database leaked on the Internet and remained publicly accessible for an entire month. It contained 250 million customer entries accumulated across 14 years, including customers’ locations, email addresses, and details about support cases.
Microsoft fixed the leak on the same day the leak was discovered. It also notified affected users, so it suffered no fines or penalties. The California Consumer Privacy Act took effect in early 2020. If Microsoft had delayed its actions by even a few days, the company could have been fined millions of dollars.
The Marriott employees whose credentials were stolen to exfiltrate customer data
Cyberattackers compromised the credentials of two Marriott employees to log into a third-party application. They remained active for two months but managed to evade Marriott’s cybersecurity systems, mainly because third-party monitoring and user and entity behavior analytics (UBA) were not in place.
Between early January and late February 2020, the attackers gained access to the personal data of 5.2 million Marriott guests, including their:
- Contact information
- Personal preferences
- Loyalty account details
- Partnerships and affiliations
It wasn’t until the end of February that Marriott’s security team noticed the suspicious exfiltration activity and sealed the security breach.
Marriott informed all guests whose data was stolen and set up a dedicated website to provide information to affected guests. Marriott had already suffered earlier breaches in 2014 and 2018, for which it was fined $24 million (£18.4 million) by the U.K. Information Commissioner’s Office (ICO) in 2020.
The 2020 breach included personally identifiable information, so Marriott will likely face monetary penalties once again.
The employees who stole General Electric’s trade secrets to start a new company and compete with their ex-employer
From 2008 to 2019, two employees of General Electric (GE) stole company trade secrets by downloading thousands of files from company servers, uploading them to their private cloud, and sending the data to personal email addresses.
The stolen data included valuable information on advanced computer models, pricing, and marketing information. The insiders used this information to start a new engineering company and compete with GE on tenders for new projects. GE’s cybersecurity system failed to detect these malicious activities even though they went on for several years.
GE lost several tenders to the new company, although GE didn’t know that its former employees founded the company. When GE discovered the scam, it reported the incident to the FBI. In 2020, one of the ex-employees was sentenced to two years in federal prison and fined $1.4 million. The other was also fined and sentenced to one year in prison.
There was another insider attack at GE in 2017 when an engineer conspired with a Chinese businessman to steal trade secrets for their own startup. The engineer was indicted in 2021.
The Cisco Systems ex-employee who purposely damaged its cloud infrastructure
In 2018, Cisco’s cloud infrastructure was not protected with reliable access management tools or two-factor authentication mechanisms. Knowledge of these weaknesses allowed a malicious ex-employee to access the infrastructure and deploy malicious code.
With the code, the attacker deleted 456 virtual machines used for Cisco’s WebEx Teams application, which locked out 16,000 WebEx users from their accounts for two weeks.
When the incident was discovered, Cisco audited its infrastructure and fixed the damage, spending about $1.4 million in employee time and another $1 million in restitution costs to affected users.
The Tesla employee who took advantage of his access and privilege to sabotage the company
In 2018, a Tesla employee used fake usernames to change the code used in the company’s manufacturing operating system. He also exported large amounts of sensitive data (gigabytes’ worth), including trade secrets, to unknown third parties.
The motive for the attack was revenge. The attacker wanted a promotion that he did not receive. He used his insider privileges to cause extensive and damaging sabotage against the company.
Following the sabotage and data leak, Tesla’s share prices fell by 5 percent and delayed a production ramp-up.
Tesla faced another insider threat in September 2020 when a foreign national attempted to “recruit” an employee to transmit malware onto Tesla’s network to exfiltrate sensitive data.
The Twitter employees who got phished and unwittingly participated in scamming hundreds of Twitter users
In July 2020, a few Twitter work-from-home employees were the victims of a targeted spear-phishing attack. Hackers gathered information about them via “vishing” (voice phishing) to compromise their credentials and gain access to administrator tools.
The tools allowed the hackers to access 130 private and corporate accounts of famous Twitter users, including Barack Obama, Elon Musk, and Jeff Bezos. The attackers then:
- Changed these users’ credentials
- Tweeted scam messages to millions of their followers
- Promoted a Bitcoin scam
- Transferred $180,000 worth of Bitcoin to scam user accounts
The attackers almost got away because Twitter didn’t notice their suspicious activities in the admin tool until the scam messages were already published. They also did not have privileged access management or UBA in place to protect and detect unauthorized activities.
The incident was the most high-profile data breach at Twitter and led to a 4 percent fall in the company’s stock price.
The employee who sold Bupa’s customer data for financial gain
In 2017, an employee stole more than 500,000 customer records and sold them on the dark web. He extracted this data from Bupa’s CRM system, which at the time contained 1.5 million records.
The employee accessed the system, copied the information, and then deleted it from the database before selling it. The data included names, birthdates, email addresses, and nationalities of Bupa customers from 122 countries.
An investigation revealed that the attacker had been accessing customer data since 2013. He saved three datasets, including credit card details to his desktop and sent some information via email to his personal account.
Bupa’s mistake was giving too many people access to large volumes of data. The company also didn’t monitor logs, so they were unable to detect suspicious activities like this one.
Britain’s ICO fined Bupa £175,000 ($228,000) for its failure to implement adequate security controls to protect customers’ information and prevent internal users from stealing this information for financial gain.
Strategies to Prevent Insider Threats
Organizations can resist insider threats and reduce cyber exposure by following proven security best practices. These include:
Implement Two-Factor Authentication (2FA)
2FA uses two different authentication factors when verifying a user’s identity before granting access to an enterprise system or application. This additional factor could be a code sent via text message, a fingerprint scan, or a security token.
Adding another factor to the authentication process makes it significantly harder for insider criminals to gain unauthorized access to your systems, even if they somehow manage to steal the username and passwords.
Implement Device IDs
When you implement device IDs, your employees can only use those programs that have been verified as being secure before gaining access to certain information or performing certain actions. Hacking into this type of system can be quite complex, which minimizes the possibility of insider attacks.
It’s also essential to perform regular audits for shadow IT to ensure that users are not using applications or devices that are not expressly approved by the IT team. In addition, implementing a least privilege access model limits access and prevents users from accessing or compromising resources and data.
Keep an Eye on All Red Flags
Earlier we saw how victim companies failed to identify suspicious activity that ultimately led to breaches and attacks. You can, however, detect such red flags by deploying employee monitoring software, user behavior analytics (UBA), and security information and event management (SIEM) systems.
These tools detect many insider threat indicators that may devolve into a full-blown attack, such as:
- Employees consistently working outside scheduled work hours
- Remote employees logging in from different locations or devices
- Users sending large amounts of sensitive information to removable drives, the cloud, or personal accounts
- Current or ex-employees complaining about the organization on social media
- Insiders grappling with personal problems such as gambling debts or alcohol addiction
- Insiders who deliberately bypass IT security controls, such as by using another employee’s password or tailgating into the office instead of using their own ID card
- Frequent displays of anger or frustration
Train Employees on Security Awareness
Employee cybersecurity training can increase the level of awareness within the organization. It discourages malicious insiders and makes negligent insiders think twice about their cyber hygiene knowledge and practices. This awareness program should teach them:
- How to detect and avoid phishing and ransomware attacks
- How social engineering works
- How to create strong passwords
- Why they should not share passwords or use unsecure Wi-Fi networks
- How to secure their remote devices
- Email communication best practices
- Why shadow IT applications are forbidden
In addition to the above strategies, you should also consider these best practices to prevent and mitigate insider threats:
- Install strong security protections such as firewalls, heuristic-based antivirus software, endpoint detection and response (EDR) tools, and data loss prevention (DLP) tools.
- Encrypt all enterprise data and devices.
- Perform regular backups.
- Regularly audit user access rights and permissions.
- Continuously monitor your IT ecosystem to detect suspicious activities.
Protect Your Organization from Insider Threats with Reciprocity ROAR
For most organizations, internal cybersecurity threats will be a constant challenge. You can minimize the potentially catastrophic impact of these threats with Reciprocity ROAR.
Reciprocity ROAR is intuitive and simple to use. It streamlines evidence management, workflows, continuous monitoring, and reporting for risk management.
Security policies, incident response procedures, and internal controls must be documented and updated regularly to assure that they meet the evolving cybersecurity environment. With Reciprocity ROAR’s document repository, policies and procedures are revision-controlled and easy to find.
Workflow management features offer easy tracking, automated reminders, and audit trails. The ZenConnect feature enables integration with popular tools such as Jira, ServiceNow, and Slack, assuring seamless adoption within your enterprise.
Insightful reporting and dashboards provide real-time visibility to gaps and high-risk areas. By better understanding your risk landscape, you can take action to protect your business from cyber attacks, avoid costly data breaches, and monitor the security posture of your vendors.
Strengthen your cybersecurity posture by leveraging Reciprocity ROAR’s single source of truth to highlight critical vulnerabilities and potential insider threats affecting your organization.
Schedule a demo to see how Reciprocity ROAR can continuously and effectively protect your organization from insider threats.