Cybersecurity Undone By Insider Threats

What does a dishonest FBI employee have to do with your company’s cybersecurity? More than you think. Kendra Kingsbury, a 48 year-old FBI intelligence analyst was indicted on May 18, 2021 for “having unauthorized possession of documents relating to the national defense.” According to the FBI’s special agent in charge of this case, “Every FBI employee swears to support and defend the Constitution of the United States,” and Ms. Kingsbury allegedly violated that promise for reasons not yet publicly apparent.

Now, let’s think about all the people who work in and for your company, including employees, contractors, vendors and service providers. They may not have made a promise as important to national security as those made by FBI agents, but they could be just as likely (if not more likely) to be an insider threat, to betray your trust and do great harm to your business.

What Are Insider Threats?

We write often about modern threats against organizations that include Ransomware, Data Exfiltration, Data Breaches, Zero-Day attacks, Hacks, Viruses and other malware and cyber crimes. But the assumed context of all of those attacks is that they’re initiated by business outsiders, often Eastern European hackers, Rogue nation-states, or just plain old-fashioned individual cyber criminals writing viruses in their basements.

Over the last two years, we’ve reported on just one story about a potential insider threat, and that was to a company we’ve all heard about, Tesla. A cyber criminal attempted to bribe a Tesla employee with $1 million to place a ransomware-filled thumb drive into his desktop PC. But the employee was trustworthy and reported the bribe to his supervisors, who in turn involved the FBI. The cyber criminal and one of his associates were caught because the honesty and integrity of the Tesla employee caused the threat to be neutralized before the attack could occur.

Would your employees and your third-party vendors do the same for you and your business? All business owners and managers hope the answer is yes, but most also know that it’s unlikely to be the case.

So what are insider threats? Those are any of the incidents mentioned above (Ransomware, Data Exfiltration, Data Breaches, Zero-Day attacks, Hacks, Viruses and other malware and cyber crimes) perpetrated by someone who works in the company or a trusted vendor.

Are All Insider Threats Malicious?

Interestingly, not all insider threats are malicious, where the actor intends to do harm to the company. According to Verizon’s Insider Threat Report, insiders are often motivated by these malicious motives:

• Financial Gain -- But not necessarily to do harm to the organization
• Espionage -- For the benefit of themselves or another organization
• Grudge -- Potentially against the business, but also potentially against specific employees
• Ideology -- The insider may be opposed to an action or philosophy of the organization

But insiders could also be motivated by these less-malicious reasons:

• Fun -- Can this be done?
• Convenience -- the desire to work around cumbersome security procedures.
• Fear -- perhaps fear of an impending financial catastrophe, or fear of being fired.

Supporting those statistics are Verizon’s assessment of who the insiders are. Three of their actor-types are malicious:

• The Inside Agent -- An employee motivated to act for the benefit of some other bad actor.
• Disgruntled Employees -- Potentially those passed over for raises and promotions, or who feel they were otherwise wronged by their employers, who are just out to harm the organization or other specific employees.
• Malicious Insider -- Those who steal data, usually for personal gain.

But two of them are not:

• The Careless Worker -- Employees who incorrectly address emails, install unpermitted software, inadvertently expose sensitive data, and work around security measures.
• The Feckless Third Party -- Business partners who do not support the same high security measures as the organizations they serve.

(Note: In the above list, the labels were from Verizon’s report, and the descriptions were our own.)

Reducing The Damage of Insider Threats

So your company has done all that it was supposed to do in order to protect itself from cyber attacks: you installed the latest firewalls and reinforced those with the best cybersecurity software. You’ve got endpoint protection, VPNs, multi-factor authentication, secure password policies, SIEM analysis of your device log files, a Security Operations Center monitoring your network 24/7...so you sleep well at night.

Despite doing all the right things, insider threats can undo several layers of cybersecurity in moments.

What can you do to help reduce the Damage of Insider Threats?

Cybersecurity Awareness Training

Cybersecurity Awareness Training helps to train your employees to look out for signs of Phishing, Business Email Compromise, and other signs of attempted attacks. But it can also train employees how to notice when other employees are doing things they shouldn’t be doing -- insider threats that may potentially harm your company.

Employee Background Checks

But Awareness Training depends on whether your employees actually want to protect the company. How can you ensure that they do? Trustworthy employees begin with the hiring process, and in particular, by running background checks on your employees.

Robert Glucroft, of BackgroundRunner.com, a Los Angeles based background check company, says “When you’re interviewing a prospective employee, they will often say whatever they need to say to get you to hire them...and not all of it is going to be true.” Glucroft continues, “You could be hiring people who have long histories of embezzling from their companies, or people who are in severe financial trouble or have substance abuse issues, all of which make them much more likely to betray your company for the right price or reason.”

But background checks are not only for potential new employees. Background checks should also be conducted on an annual basis on existing employees. “Situations change for employees just as they do for the general public. Sharp increases in debt, signs of substance abuse, and even a lengthening criminal record can indicate that an employee is under stress and may potentially harm the company,” says Glucroft.

Vendor Management and Review

We’ve been brought into companies with the goal of either reviewing or improving their current cybersecurity practices. We’ve discovered instances where our clients had the foundations and policies of a solid cybersecurity strategy but, all their efforts were undone by outside vendors.

• We’ve seen the aftermath of VOIP vendors and Video Security installers leave huge holes in previously-secured company firewalls in order to simplify the configuration of their own equipment.
• Software publishers have had their own software hacked, and then installed their software onto the networks of other businesses, immediately adding backdoor access to your business and all its data.
• Even an improperly configured Quickbooks system can allow hackers to steal your data.
• Vendors for proprietary equipment, such as specialized medical equipment, have sometimes left security holes in their own products that will allow access to your office network in much the same way as smart light bulbs can give hackers access to your wifi network.
• Vendors can even install their own software via thumb drives without knowing that those drives contain malware.

Businesses often let vendors into their company without questioning their cybersecurity policies and procedures, and it often leads to a disaster for the company. The only solution to this problem is to manage and review your vendors’ cybersecurity policies.

Conclusion

Business IT networks are getting more complex every day, and that means your cybersecurity strategy needs to adapt in order to be effective. But a huge, often overlooked part of your cybersecurity strategy includes the people who work in and with your organization. If you don’t know how to protect yourself from these dangers, let Digital Uppercut help. Use our online contact form or call us at 818-913-1335.