Insider Risk Hits Closer to Home

Image

If you’re busy securing the perimeter, mandating strong authentication practices, and restricting software downloads, you may be missing the mark.

(Just to be clear: if you are doing those things, keep it up. You’re off to a good start, and none of what follows here replaces classic and vital cybersecurity measures.)

Protecting your organization from outside threats is foundational to any effective cybersecurity strategy. But, risks are not only the domain of faceless intruders and exposed weaknesses. Insider risk is an often-overlooked, steadily growing threat.

What is Insider Risk?

The suggestion of cybersecurity risk often brings to mind spam emails, malware or ransomware, and intruders breaching an organization’s network to steal their data or take their servers offline. Yet, the cyber risk doesn’t end there. Sometimes the risk hits a little closer to home.

Insider risks and threats come from people authorized to access your network. That may mean employees, contractors, suppliers, consultants, or third-party partners. Essentially, anyone with access to privileged information can pose a risk to your organization.

Key sources of insider risk to be aware of include:

• Negligent Employees - Among the most accessible type of insider risks to mitigate is that human error. When your employees make careless mistakes like using insecure networks, leaving their devices unlocked, or losing a device or hard drive, your data can fall into the wrong hands.
• Third-Party Partners - Organizations often outsource elements of their business to third parties such as manufacturers, suppliers, fulfillment professionals, or others. These third parties may have user access privileges to systems or networks. Since these users often function outside of typical protocols, your data may be at risk for theft or compromise.
• Malicious Insiders - Not all insider risks result from accidents, carelessness, or error. Some incidents are purposeful. Malicious insiders are those with access to valuable information who seek to capitalize on their privilege in one way or another. Malicious insider threats include data leakage, stolen trade secrets, and other pieces of information that they may trade for their gain. Malicious insiders have been known to steal data to further their career path or to sell or barter to cause reputational damage.
• Former Employees - When employees leave the organization, it’s not always on the greatest terms. Sometimes, disgruntled former employees choose to take information and use it for their benefit. Former employees pose an insider threat similar to malicious insiders, but often with a spiteful aim. These are the insiders most likely to seek reputational damage or retribution should they choose to exploit the information they have.

Noteworthy Incidents

To illustrate insider risk in the real world, consider a few noteworthy insider incidents from recent years:

Negligence: Twitter

In 2020, hackers gained access to 130 Twitter accounts belonging to corporate and private entities with at least 1 million followers. They used these accounts to promote a Bitcoin scam under the guise of promotion from notable figures, including Barak Obama, Jeff Bezos, Elon Musk, Apple, Uber, and more. These bad actors netted nearly $200,000 as a result.

The hack occurred when internal Twitter employees fell for a spear phishing scam. The cybercriminals researched and contacted their targets on their corporate email accounts, pretending to be Twitter IT support and requesting credentials. Once they had access to these corporate accounts, they could also access admin tools and reset the passwords of high-profile users.

Third-party: Slack

In 2022, Slack’s security team discovered suspicious activity on their corporate GitHub account. A bad actor had stolen employee credentials and used them to access corporate resources.

According to internal investigations, the criminals were able to breach the system through third-party vendor compromise. Slack did not disclose specifics of the vendor or the attack method. The incident occurred because security systems in place did not alert security officers until the private code repositories had been stolen.

Malicious Insider: SGMC

In 2021, a former South Georgia Medical Center (SGMC) employee downloaded private data from internal systems and saved it to a USB drive the day after he resigned. The information included patient names, birth dates, and leaked medical test results. As a result, SGMC alerted the patients and offered identity restoration and credit monitoring services.

SGMC detected this breach when security software alerted staff that the information had been downloaded and pointed to the employee’s actions in copying files to an external drive. Unfortunately, despite early detection, the data was still leaked.

Robust Security Strategy

API vulnerabilities, AI data security doubts, and ransomware are all popular topics for cybersecurity. Yet, organizations must still be aware of the threats that arise closer to home when insiders with access to valuable information potentially let it fall into the wrong hands - either accidentally or maliciously. Raising security awareness internally is crucial, and having appropriate monitoring and reporting protocols is essential to track risks before they become incidents.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.