The now-public whistleblower allegations that Twitter may have active foreign spies on its payroll are sure to raise concerns about insider threats at companies everywhere. But focusing only on potential spies is a mistake. Today anyone, not just those who may have a strong ideological or financial desire to disclose information about their organization, can be an insider threat.
With the growth of big data, supply chain cyber attacks and online extortion, not only can anyone pose an insider threat, but often they do so unknowingly. The threat is particularly dangerous to banks and financial institutions, multinational corporations and critical service providers as state-backed actors from places like Russia and China attempt to use more advanced cyber tools.
Most companies are not well-prepared or even aware of this threat and that needs to change. There must be dedicated efforts on both a tech and human level to deal with this growing danger.
There is no doubt that the growth of data and the availability of that data, everywhere from social media to commercial databases, has changed the field of intelligence– for both the good guys and the bad guys. For example, such data, and tools to analyze it, have allowed for the solving of decades-old murders and other crimes; and in the cybersecurity sector, services like VirusTotal and Microsoft MSRC have also been a gamechanger in helping to identifiy and prevent attacks.
But at the same time, bad actors can also use these databases to collect information on targets. Someone can fairly easily find out a person’s contact information, place of residence, habits, interests, friends and family—and then use that to help carry out cyberattacks, especially those involving the software supply chain or online extortion.
Supply chain attacks targeting cloud services can cause massive damage, like the infamous SolarWinds attack revealed to the world. Often these attacks involve taking advantage of someone inside a company, who will install an update or reveal login or other sensitive information. And those inside the companies that answer these phishing emails or download files do not even realize what they are doing, or that they are hurting their organization and others.
Online extortion–and sextorion– is also used against people inside a company– or increasingly against their relatives or other connections— to get them to divulge information in the face of threats. Attackers can threaten to post embarrassing photos or other sensitive personal details unless the target agrees to hand over login credentials or other information to aid in an eventual cyberattack or cyber espionage. The growth of available data and intelligence makes these threats more realistic, because attackers are armed with information about a target’s interests, routine, and acquaintances.
Too often, people targeted in such schemes give into demands, as they are afraid of embarrassment, or even for the safety of themselves or their loved ones, if they report the incident or do not comply. In addition, attackers can also bribe people for company data or access. For example, the group Lapsus$, which has successfully attacked Microsoft, Cisco, Nvidia and online authentication company Okta, relies on recruiting company insiders, offering money to employees and key personnel who divulge credentials or other information needed to carry out attacks or breaches. Whether someone is scared into divulging information, or does so for money, anyone can find themselves in this situation, suddenly becoming a real insider threat to their company, even if that was never their intention.
Companies need to act now. And given the fact that anyone and everyone can present an insider threat while often not even realizing they are causing harm, companies need to think beyond simply character screenings by human resources departments. One basic step is to encrypt more data, so that it is harder to share, no matter what intentions employees have when sharing it. But an effective solution is not just technical.
Organizations need to have a dedicated plan and resources to deal with these emerging types of insider threats. As I have seen in many companies, too many red flags and other warning signs of insider threats slip between the cracks because they fall outside of the clear domains of human resources, the CISO, CSO and others. In order to better ensure security, a specially appointed person or department needs to be able to connect all of the dots and oversee the identification and mitigation of such insider threats. Such a position should be appointed directly by the CEO or board of directors, and have adequate independence and accountability to analyze data and behavior across departments.
Because it is impossible to simply increase the monitoring of every single employee, organizations need to carry out an insider threat differentiation analysis, in order to profile the highest risk individuals. The first step, like in any realm of cybersecurity, is to identify the likely threats, not only from the organization’s point of view, but from the attackers’ point of view. Organizations need to understand what they offer attackers. Depending on the organization that could include valuable customer data, deep pockets for ransom, intellectual property, a good reputation or competitive advantage–and more.
Next, organizations need to understand how potential attackers would carry out such attacks, and which assets, including data, information or operations, they would target to achieve their goals. Finally, companies should map which employees are involved in or connected to those assets, and then concentrate on monitoring and training them to avoid becoming insider threats. It is also important to remember that anyone identified as a key possible insider threat, also has close contacts, including family members, friends and household help who could also be exploited. The home networks and devices of potential insider threats should also be considered when closing security gaps. As the Twitter case has once again highlighted, companies often have no idea which or how many devices employees are using, what they are using them for, and what software or apps are installed.
These potential insider threats, and ideally the entire workforce, should also be trained and informed about how to avoid becoming an insider threat. They should be taught and reminded on a regular basis how to recognize phishing attempts, and not to share any passwords or other credentials, even those for personal use, like Netflix passwords or Apple IDs. In today’s world, these personal logins and credentials, in the wrong hands, can aid in extortion and data breach attempts that could ultimately lead to accessing a company’s sensitive information.
In addition, to deal more effectively with extortion, processes should be created so that targeted employees can comfortably and privately report online extortion attempts.
Companies need to make serious efforts in this realm, as executives and businesses are not only valuable targets economically, but can carry significant weight and influence in the geopolitical landscape. This became more clear recently, when the U.S. Department of the Treasury revealed their work in cooperation with the European Union on the REPO Task Force to track and target Russian oligarchs as an additional way to put pressure on President Vladimir Putin following his invasion of Ukraine. As they play a bigger role in geopolitics, executives and companies are also increasingly the targets of both criminal and state-backed attackers, either directly or via an insider threat.
This is especially the case as countries targeted by economic sanctions take steps to retaliate. For example, it is a very realistic possibility that we will see China use cyberattacks against Taiwanese business executives in order to put pressure on Taiwan. And it is this new type of insider threat –which could really be anyone—that could allow China or other parties to succeed.