Insider Threat Report 2024
Data Has Never Been More Vulnerable To Insider Threats
The Insider Threat Report 2024 aims to equip today’s business leaders with an understanding of the significant impact of insider threats today, trends in the insider space, and the steps organizations can take to reduce the risk of insider security breaches.
Nearly a decade ago, the Harvard Business Review reported that according to various estimates at the time, at least 80 million insider cyberattacks — involving connected companies or direct employees — occurred in the U.S. each year — but the number may have been much higher, because they often went unreported.
Today, the business landscape is digital-first, with scores of employees and contractors working remotely and handling corporate data through personal devices, creating an increasingly complex technological ecosystem underscoring the growing risk of insider threats.
Identifying and managing insider threats effectively is now imperative for business success, particularly considering that one in three data breaches now involves insiders.
Whether a security incident is caused by an accidental insider or deliberate acts of sabotage, the outcome can be the same. Organizations risk the potential loss or theft of data, compromised networks, ransomware and blackmail, financial damage, legal battles, and reputational harm.
Even the most well-intentioned employee can inadvertently become an insider threat and cost their organization millions of dollars in remediation and recovery.
Unfortunately, today’s chief information security officers (CISOs) consider insiders as among the most difficult threats to detect and prevent.
The right security tools and policies can mitigate the risk of external and internal cyberattacks. However, we cannot focus solely on technological solutions.
It is crucial to foster a supportive and human-centric environment where employees who have caused a data leak or exposed corporate assets through negligence or error feel they are able to speak up.
WHAT ARE INSIDER THREATS?
Insider threats exhibit a diversity as varied as the array of methods organizations adopt to detect and prevent them.
The nature of and definition of insider threats is in a constant state of evolution. At first glance, insider threats are often associated with individuals who deliberately wish to sabotage their employer’s systems, networks, or assets.
However, in reality, malicious insiders are not the type of internal threats that necessarily pose the greatest risk to organizations.
Insiders are typically characterized as individuals or groups possessing privileged knowledge of a target from within an organization. Privileged knowledge may include an intimate understanding of processes and security measures, a company’s strengths and weaknesses, and where sensitive information is stored.
These insiders may handle sensitive information during their day-to-day roles or could be the owners of privileged accounts that authorize access to corporate resources, consumer records, and intellectual property.
Geographical limitations no longer confine insiders, who could be in-house employees, remote workers, visitors, or contractors. Furthermore, insider threats can sometimes be traced back to supply chain vendors and partners.
Malicious insiders
In certain instances, insiders may deliberately act maliciously: stealing information, sabotaging networks, or working with cybercriminals to provide an initial access point into a network for the purposes of malware deployment or surveillance.
Malicious insiders breach the trust placed in them by their employer, typically for their own ends.
For example, a discontent employee could access sensitive information with the intention of damaging, destroying, stealing, or selling sensitive data, such as intellectual property or consumer records.
Similarly, a contractor with access to a corporate network could agree to ‘accidentally’ click on a phishing email and install ransomware in return for a share of a blackmail payment. Or, a group of employees could collude with cybercriminals or rival companies and agree to steal valuable intellectual property, perpetrate fraud, or engage in espionage.
Malicious insiders can also be opportunistic, an example being the case of an IT analyst who tried to capitalize on an ongoing ransomware attack to defraud his employer.
Employees departing for a new role can also become insider threats. Intellectual property is precious, and individuals leaving the company may be tempted to download files that give them a recruitment advantage. Alternatively, data could be stolen as a vengeful act following disciplinary action.
However, not all insiders are malicious. Insider-related incidents can also be caused by negligence and human error.
Negligent insiders
What complicates the task of tracking non-malicious insiders is that the same measure of trust can be broken, despite employees having the best intentions.
It is important to differentiate between malicious and non-malicious insiders. Employees and contractors can become security threats without harboring any intention of becoming so, and they should not be treated in the same manner as an employee who performs criminal acts.
Accidental insiders inadvertently cause damage or unwittingly cause a data breach, creating situations that allow for the sabotage of an organization’s network, data, and assets.
A non-malicious insider might, for instance, click on a phishing email and unknowingly download and execute ransomware, leading to network encryption, data theft, and disruption to business operations. Alternatively, they could accidentally transfer confidential client data and intellectual property to an insecure personal device, a vulnerable cloud storage service, or an email account belonging to someone outside of their organization.
In 2021, a City of Dallas employee was fired after an audit revealed they improperly moved police evidence from cloud storage to local servers, ultimately resulting in the accidental deletion of roughly 22.5 terabytes of investigative data.
Still, non-malicious insiders displaying negligent behavior can be just as destructive as malicious threat actors. Companies can be put at risk when employees circumvent security controls and policies considered inconvenient and disrupting to their workflows.
Compromised insiders
Compromised insiders have no knowledge of being a threat to their employer.
According to Verizon’s 2023 Data Breach Investigations Report, 74 percent of all breaches are caused by the human factor, with social engineering, human errors, and privilege misuse among the most common reasons for a security incident to occur.
Attackers will exploit weaknesses and vulnerabilities to achieve initial access into a target network. While this can include the exploitation of zero-day vulnerabilities and unpatched bugs, the human element is frequently the weak link under assault.
Compromised employees may have been targeted by cybercriminals through phishing, social engineering, Business Email Compromise (BEC) scams, or stolen credentials.
A cybercriminal could, for example, gain access to an employee’s mobile device, computer, or email account without the knowledge of the compromised insider. If data is being incorrectly transferred between corporate and personal devices or services, it becomes ripe for theft or abuse.
Moreover, the use of weak or predictable account credentials to access corporate resources, alongside generally lax security practices, could provide entryways for cyberattackers.
TRENDS IN THE INSIDER THREAT SPACE
“When it comes to protecting data, companies need to be vigilant and proactive,” says George Kurtz, CEO at Crowdstrike. “They need systems and tools that let them take immediate action when required. With employees – able to work from anywhere, at any hour, with endless options to stash data on devices or in the cloud, every second counts. Incident detection and response needs to happen in real-time and without limitations from time zones or geography.”
Technological innovations, including the cloud and artificial intelligence (AI), are rapidly transforming how businesses operate.
With every innovation, however, comes new risks and opportunities for exploitation, whether through malicious activities or unintentional outcomes.
According to Cybersecurity Ventures, global data storage will exceed 200 zettabytes by 2025. Given the sheer amount of data that needs protection, it’s no wonder that data loss and exposure are of serious concern to organizations, spanning from Fortune 500 companies to small and medium-sized businesses.
Despite the fact that 72 percent of organizations dedicate resources and time to insider risk prevention programs, 71 percent of businesses still expect insider-related data loss to increase over the next 12 months.
This growing concern is due to a multitude of factors and changes in the business landscape spanning a decade, including personal device use, remote and hybrid roles, and the introduction of new, unfamiliar technologies into employee workflows.
Bring Your Own Device
Approximately a decade ago, the enterprise began to adopt ‘Bring Your Own Device’ (BYOD) policies.
Almost 80 percent of U.S. organizations have implemented BYOD since 2018, and 67 percent of employees have used their personal mobile devices for work-related tasks.
Encouraging employees to use their own mobile devices, tablets, and laptops can reduce expenditure and give staff additional flexibility. However, BYOD practices can be detrimental to security as they blur the lines between professional and private lives.
A Pulse survey of 100 security leaders revealed that 91 percent of respondents believe employees and contractors are likely to exfiltrate data from corporate systems via their mobile devices.
While the majority of IT leaders say that gaining visibility into the levels of corporate data exfiltrated through mobile devices is important, 61 percent of respondents also said that less than 25 percent of employees have company-issued devices.
In contrast, only 13 percent of respondents estimated that over 50 percent of employees were provided with corporate handsets.
A balance has to be maintained between respecting privacy and security. but for many employees, permitting mobile device management (MDM) solutions to be installed on their personal devices is an unacceptable proposal. While organizations can effectively oversee endpoint devices allocated to employees, they can’t maintain the same levels of oversight when BYOD policies are in place.
Consequently, BYOD practices can create blind spots in corporate security. IT professionals may find BYOD reduces visibility into the access and transfer of sensitive data, not to mention the risks posed by personal devices that may be out of date, unpatched, or compromised.
Although BYOD policies were on the decline by 2018 in favor of corporate-issued devices and heightened security, the pandemic was a catalyst for the return of these policies — and an even wider potential attack surface for insiders to exploit.
Remote and hybrid work environments
The COVID-19 pandemic compelled businesses to rethink their existing operational processes to ensure they survived through serious disruption, collapsing supply chains, and stay-at-home orders for employees.
Several years ago, it was customary for the majority of employees to work on-site, but after organizations required employees to work from home, the adoption of remote and hybrid roles became entrenched in modern business practices and culture.
While the call to return to the office has become increasingly loud, many organizations are experiencing pushback from employees and contractors who want to retain their remote status.
With remote and hybrid agreements now potentially permanent, when staff are located outside of the office — and in some cases, in different countries and time zones — this can cause headaches for security teams.
A survey conducted during the time of the pandemic estimated that 91 percent of executives believed cyberattacks on their organization increased because of remote working. As of 2023, 12.7 percent of U.S. employees still work fully remotely, and Upwork estimates suggest roughly 32.6 million Americans – or 22 percent of the workforce – will follow suit by 2025.
Similar to the challenges posed by BYOD, but arguably intensified, removing staff from the relatively controlled confines of a physical office environment can cause security blind spots. It may be more difficult, for example, to detect suspicious behavior or to handle active insider accidents quickly.
When a team is dispersed across countries and time zones, and members use personal devices to access corporate resources, it can be challenging to find solutions or tools able to effectively monitor and manage an expanded attack surface.
Insiders may be able to take advantage of this lack of visibility to perform malicious activities. When human errors occur and accidents take place, remote setups may delay incident response and remediation efforts.
Another post-pandemic challenge facing organizations is technical debt. When businesses worldwide were required to rapidly digitalize existing operational processes, many adopted solutions and implemented changes that would suit them in the short term — but they may now be detrimental to security. Legacy infrastructure, clashes between security policies, and the use of remote software and equipment may all contribute to an insecure environment for workplaces today.
The Great Resignation
The pandemic and its aftermath served as a catalyst for the phenomenon known as “The Great Resignation.”
Countless employees voluntarily have left their roles in the past two years, for reasons including a poor work-life balance, a shift in priorities, and a desire for greater pay, the latter of which was cited by 71 percent of respondents to PwC’s Global Workforce Hopes and Fears Survey.
This global reshuffle is far from over, with some employees refusing to return to the office. Now, with so much movement and talent churn, there is also an increased risk of insider activity.
While the desire to change roles is strong in many individuals, there is also job insecurity in the market. Many organizations went on hiring sprees post-pandemic, but they are now grappling with the challenges of a weak economy, prompting mass layoffs which, in some cases, treat staff with abject cruelty.
When you combine job insecurity, a struggling economy, increased cost of living, a desire to change roles, and — in some cases — a lack of care or respect for hard-working employees, individuals may be tempted to conduct insider sabotage or theft.
An unstable economy can have a psychological impact on individuals, and we need to consider that some may resort to becoming insider threats for financial purposes or for job market advantages when they would not have become so in more stable conditions.
Identifying insiders who are about to leave an organization can be a challenging prospect. A soon-to-be former employee’s sudden download of data a day before their leaving date could be an indicator of theft. But, if malicious insiders plan well, they may decide to covertly exfiltrate data, smaller sections at a time, well in advance and over an extended period. This tactic leaves little evidence of known malicious patterns of behavior.
The adoption of cloud solutions and new technologies
Online communication tools, storage solutions, and remote access to company resources were all developed at breakneck speed due to the sudden demand created by stay-at-home orders during the pandemic.
Businesses have adopted these tools en masse, and while they can improve productivity and foster improved communication between teams and customers, we began to see the risks posed by remote technologies with the emergence of “Zoom-bombing,” when intruders enter remote corporate calls without authorization.
For each tool you add to existing workflows, whether they are videoconferencing tools and collaborative platforms including Microsoft Teams, Slack, and Zoom, or extend to cloud-based systems such as Dropbox and AWS, you increase the risks of human error — and may introduce vulnerable entry points susceptible to damage, theft, and data exposure.
New innovations entering the mainstream also warrant our attention. ChatGPT, for example, is an artificial intelligence (AI) chatbot that many organizations are now taking advantage of to streamline tasks and increase employee efficiency.
Nevertheless, as Samsung found to its detriment, permitting the use of new tools without reading the fine print can lead to accidental insider breaches. Samsung banned the use of ChatGPT after engineers submitted confidential source code into the AI chatbot, unknowingly leaking intellectual property and corporate secrets.
New technologies can be overwhelming, causing stress and leading to mistakes and unintended security breaches. Indeed, organizations may increase the risk of non-malicious insiders, as the risk of human error increases when users are unfamiliar with tools and lack sufficient training.
INSIDER SECURITY INCIDENTS
Insider threats can be found at each level of an organization, and as shown below, can wipe out an organization’s market value overnight or lead to legal battles between companies.
Massachusetts National Guard (US Air Force): In 2023, 21-year-old U.S. Airman Jack Teixeira was accused of leaking classified intelligence online. The FBI claims the junior airman shared government information in Discord servers, one of which included foreign nationals among its members.
Ubiquiti: In 2023, an engineer reportedly hired by Ubiquiti was sentenced to six years in prison after pleading guilty to stealing tens of gigabytes of data before demanding a $1.9 million USD ransom from his former employer. When these demands were refused, the engineer “re-victimized” the company by pretending to be a whistleblower, becoming a source for “misleading news articles” that wiped $4 billion USD off the firm’s market value.
Apple: In 2022, Apple sued chip startup Rivos for allegedly poaching engineers, formerly employed by the tech giant, for their intimate knowledge of Apple’s System-on-a-Chip (SoC) proprietary technologies. An ongoing lawsuit alleges that two ex-employees stole gigabytes of data before they transferred to Rivos.
Proofpoint: Proofpoint claims that a former executive, Samuel Boone, shared confidential competitor strategies with rival Abnormal Security. In a 2021 court filing, the security vendor accused Boone of “pocketing a USB thumb drive to which he covertly misappropriated dozens of Proofpoint’s most closely guarded proprietary documents.”
Google’s self-driving car research: In 2021, Anthony Scott Levandowski pleaded guilty and was sentenced to 18 months in prison for trade secret theft related to Google’s self-driving car program. The former Google executive, a member of Project Chauffer, copied thousands of files before his departure to found a new self-driving truck company, Otto. U.S. law enforcement estimate losses of up to $1,500,000 USD.
Twitter: A high-profile incident taking place in 2020 involved Twitter. The microblogging platform — now known as “X” with Elon Musk at the helm — was subject to a social engineering attack in which Twitter employees were phished and duped into handing over access to high-profile accounts. Simultaneously, accounts belonging to the likes of Jeff Bezos and Bill Gates were used to promote a cryptocurrency scam to the general public.
Bupa: Another insider case, occurring in 2018, involved UK healthcare giant Bupa. The company was fined £175,000 ($222,000 USD) by data protection watchdogs after an employee stole data belonging to approximately 547,000 customers. The malicious insider exfiltrated the files a year prior by accessing Bupa’s customer relationship management system. They then deleted the evidence before attempting to sell the records on the Dark Web.
Cisco: A former Cisco employee, Sudhish Kasaba Ramesh, broke into the firm’s AWS cloud infrastructure approximately four months after resigning from the company. In 2018, Ramesh deployed code from his Google Cloud Project account and maliciously deleted 456 virtual machines (VMs). Approximately 16,000 WebEx Teams accounts were closed and Cisco was forced to refund customers roughly $1 million USD.
THE COST OF AN INSIDER ATTACK
Insider threats can be considered as dangerous, or more so, than external cyberattackers. Users with ill-intent or a negligent attitude to security, equipped with privileged access to data and resources, cannot be kept out by perimeter-focused cybersecurity solutions. As a result, insiders need to be handled in a different way.
If organizations ignore the risk posed by malicious and non-malicious insiders, there can be significant consequences that impact business operations, revenue, and market value.
Cybersecurity Ventures predicts that global cybercrime costs will grow by 15 percent per year, reaching $10.5 trillion USD by 2025. Cyber incidents are considered the top global business risk of 2013, according to the Allianz Risk Barometer.
According to Code42’s 2023 Data Exposure Report (DER), insider-driven events alone cost enterprise organizations $16 million USD per incident, on average.
Now that companies estimate up to 300 insider events occur per year, cumulative expenses increase rapidly when you consider the costs associated with remediation, incident response, recovery, PR, and legal solutions.
Ponemon research from 2022 indicates that it takes 85 days to contain an insider incident, marking an increase from 77 days in 2021.
CISOS RESPOND
“CISOs don’t love to solve the problem of insider risk… they’d much rather deal with the hacker or some ransomware because when they find it, they can just.. smack it,” says Joe Payne, president & CEO of Code42. “But with an insider, we’re talking about our colleagues, our friends, it could be our boss, so it’s a lot more nuanced. It’s not the most passionate problem for a CISO, but it is one that they need to solve.”
The complexity associated with handling insider threats is arguably one of the most difficult challenges faced by today’s security leaders.
In total, 82 percent of CISOs say that data loss stemming from insider incidents is a challenging issue for their company. Furthermore, 27 percent said insider risks were the most complex security problem to address, ranking higher than cloud-related data leaks, malware, and ransomware incidents.
Data loss isn’t the only concern. As cyberattacks continue to escalate worldwide, regulators are passing and enforcing new laws that require organizations to prioritize security hygiene. For example, the Security and Exchange Commission (SEC) has recently proposed new disclosure rules that would force public companies to report “material” cybersecurity incidents within a matter of days.
Businesses are now beginning to see cybersecurity as a strategic function, as highlighted by a recent KPMG survey of 1,325 CEOs. However, security can no longer just address network perimeters and devices — we also need to adopt a human-centric approach to mitigate the risk of insiders.
While pattern-based monitoring solutions, zero-trust account policies, and mobile device management (MDM) can assist organizations in detecting malicious insider incidents and data theft, in regards to non-malicious insiders, the most effective approaches rely on cultural shifts.
Organizations have no obligations towards external attackers and malicious insiders who choose to target them for their own benefit. However, accidental, non-malicious insiders can be loyal and valued by their company, and so must be treated humanely.
By adopting a human-centric approach and approaching unintentional insider threats with empathy and understanding, organizations can tailor training and awareness programs to reduce the risk of accidents and human error leading to security breaches.
Should organizations elect to treat non-malicious insiders with support, rather than punishment, trust will be cultivated. Comfortable employees may be more inclined to reveal mistakes and comply with existing security policies, enabling them to become more aware when errors do happen, and to take appropriate action.
With two-fifths of employees being relatively certain they have made a mistake at work that had security repercussions for themselves or their company, taking away the shame and fear benefits security teams, who are then able to swiftly contain incidents.
To mitigate the risk of insider threats, appropriate technologies must be bolstered by staff empowerment. After all, employees should be treated as allies, rather than liabilities or potential enemies.
Creating a culture founded on support and empathy, and ensuring that employees are educated enough to recognize an accidental breach – and also feel secure enough to disclose them – are pivotal in tackling the threat of insider breaches.