Recent cases highlight need for insider threat awareness and action

On September 1, a crew of US government offices launched the fourth-annual National Insider Threat Awareness Month (NITAM). The goal of the month-long event is to educate the government and industry about the dangers posed by insider threats and the role of insider threat programs. This year’s campaign focuses on the importance of critical thinking to help workforces guard against risk in digital spaces.

The NITAM launch announcement cited recent examples of insider threats in the digital space:

• The August 2022 conviction of Twitter employee Ahmad Abouammo, who took bribes in exchange for accessing, monitoring, and conveying the private information of Twitter users to officials of the Kingdom of Saudi Arabia and the Saudi Royal family.
• The July 2022 conviction of former CIA employee Joshua Schulte, who used his access at CIA to some of the country’s most valuable intelligence-gathering cyber tools to covertly collect these materials and provide them to WikiLeaks.
• The June 2022 guilty plea of former US Army helicopter pilot turned civilian contractor Shapour Moinian, who accepted thousands of dollars from representatives of the Chinese government to provide aviation-related information from his defense-contractor employers.

Joe Payne, CEO and president of Code42 and this year’s chairman of the Insider Risk Summit, kicked off the event by pointing to another example, “probably the biggest insider risk case that we have seen in years,” namely, of coding automation company Appian. Appian was awarded $2.036 billion in damages for trade secret misappropriation after a jury in the Circuit Court for Fairfax County, Virginia, found that low-code platform provider Pegasystems hired an employee of a government contractor to essentially spy on Appian to learn how to better compete against its rival.

“The company Pegasystems is not worth $2 billion,” Payne said. “Today, the company Appian is worth about $3 billion after that $2 billion award. Look at the size and the magnitude of the problem that can be caused by one contractor, and you can begin to understand that insider risk can be very damaging in our industry today.”

In a more recent example of insider risks, Twitter’s former security chief Peiter Zatko, also known as Mudge, testified before a Senate panel about the presence of Chinese agents on Twitter’s payroll. He also raised concern about other foreign agents, including at least one from India, on the social media company’s payroll.

Unintentional insider threats could be the biggest risk

These stark examples of organizations’ insider risks are considered intentional or malicious instead of unintentional or non-malicious threats. “Unintentional threats include careless insiders, who are often overlooked in most research and academic activity and not even included in the definition of an insider threat itself,” Jon Ford, managing director, insider threats at Mandiant, tells CSO. “This is a major flaw as unintentional insider threats represent the largest group of insider threats. Most research suggests that careless insiders cause 50% to 75% of insider threat events,” he says.

“It’s users who are unintentionally and unwittingly doing things that increase the risk to the organization,” Oz Alashe MBE, CEO, and founder at CybSafe, tells CSO. “I don’t think the biggest insider risk and threat are users who are deliberately and maliciously stealing information, providing access to networks and systems.”

Insider foreign espionage threats are rare

The highly public instances of actual or possible malicious insider threats, particularly those involving nation-states, belie that most insider threats are non-malicious and don’t involve nation-states. “The Zatko accusation was that foreign government espionage agents were on Twitter’s payroll,” Lisa Forte, partner at Red Goat Cybersecurity, tells CSO. “These sorts of cases are extremely rare indeed.”

However, according to Forte, more common are corporate or industrial espionage cases where corporate intellectual property is stolen and given to a competitor, usually in another country. “These cases don’t involve government ‘spies’ but instead employees who want to make some money or ingratiate themselves with another competitor for a promotion,” Forte says.

Even if foreign spies on the payroll are a rare insider risk, “Employees must be educated about this risk and the modus operandi of these approaches so they can identify an espionage approach,” Mandiant’s Ford says. “It is not uncommon for people in an organization to believe they are participating in an innocent business meeting while they are being elicited for trade secrets.”

How to find insider threats

The techniques for spotting insider threats vary and depend on the type of threat – malicious or unintentional – an organization might face. On the malicious side, watch out for uncharacteristic behavioral changes, Alashe says. “Some organizations would look at that as what time individuals normally log on and log off or changes in email traffic. They are indicators of areas of interest that might warrant further focus.”

Individuals who are disgruntled or unhappy with the organization or know they will be terminated are another sign of a possible malicious insider threat. “One of the challenges we’ve seen is organizations with an individual who knows they’re going to be terminating, but they haven’t had their access closed down. So, they’ve got a period of time where they heightened risk of an insider threat,” Alashe says.

Forte says that theft, excluding corporate or industrial espionage cases, is considered an “end of employment” event. “In almost all the cases observed, it has occurred a month on either side of the person’s resignation.” In addition, according to Forte, two significant factors present in theft cases include employees who have become dissatisfied with or possessive of their work.

When it comes to unintentional insider threats, “Actions an employee may take because they are quick or convenient, such as sharing or reusing credentials, copying files to a personal thumb drive or storing files in personal cloud storage also represent insider risk even though they may not be malicious,” Ford says.

Another indicator of a non-malicious insider threat is if an employee fails to complete their security awareness training. “Training doesn’t change behavior, but it’s one that I know organizations use on the non-malicious side,” Alashe says.

Steps to protect against insider threats

Organizations can take steps to minimize the degree of insider threats. “The first step should be to conduct a full insider threat capability assessment, which will help to identify existing gaps and areas for improvement,” Ford says. “Leveraging insights gleaned from the assessment, organizations can start building out an effective insider threat program that balances employee privacy with security and should include clearly defined components, functions, scope, and governance structure.”

Forte says the particular steps to ward off insider threats depend on the threat type: fraud, theft, or sabotage. To minimize insider theft, Forte recommends, among other things, that organizations identify the most commercially sensitive assets, identify the individuals with access to them, and provide them with enhanced insider threat training. “In some cases, people didn’t realize that the reports they were working on were not theirs to take a copy of when they left,” she says.

Alashe says a crucial step to addressing insider threats is deciding in the first place that non-malicious insider activity is an insider threat. “Some organizations will say our security awareness team takes care of the kind of non-malicious stuff and our insider threats team takes care of the malicious stuff,” he says. “The more progressive organizations don’t think of it like that at all. They think of it more holistically.”