Industrial espionage is at an all-time high, says John Mc Loughlin, J2’s CEO.
By John Mc Loughlin, Cybersecurity expert and J2 CEO
According to a Dtex Systems 2022 Insider Risk Report based on real investigations and data collected by the Dtex Insider Intelligence and Investigations (i3) team throughout 2021, there is a super malicious insider who is technically proficient and often acutely aware of an organisation’s technical limitations in proactively detecting insider threats.
The Super Malicious Insider is a technically proficient employee who is acutely aware of an organisation’s cyber security architecture, solutions, and processes and who understands both the technical and human analyst limitations in detecting insider threat indicators.
The report identifies a significant increase in industrial espionage incidents and the rise of the ‘Super Malicious Insider’ persona, and provides evidence that the abrupt shift to remote work has directly contributed to an escalation in psychosocial human behaviours that create organisational risk.
The findings and insights detailed within this report are drawn from thousands of incidents and hundreds of insider risk assessments conducted alongside Dtex customers and prospective customers around the world, spanning a wide variety of countries, industries, and organisational sizes.
These “super malicious” insiders have the technical skills needed to bypass many defences and often the training (usually provided by their employers) to understand how traditional cyber security solutions identify threats (i.e., data loss prevention, user activity monitoring, firewalls, virtual private networks, and identity and access management.
The difference between insider risk and insider threat
One usually thinks of insider threats as disgruntled or unethical users seeking to damage the company financially or reputationally: these are malicious insiders. Their motives can range from personal gain to activism.
A second common insider threat is careless employees taking actions that can put data at risk. This includes sending sensitive information to their private email or cloud storage accounts so they can work remotely, or clicking on suspicious links in emails.
Insider risk versus insider threat
A good place to start is to understand the difference between an insider risk and an insider threat. Gartner says not every insider risk becomes an insider threat, however, every insider threat started as an insider risk.
In short, anyone who has access to sensitive information is an insider risk. Humans are imperfect and make mistakes. Even the most conscientious worker could accidentally email data to the wrong recipient, misplace their computer or have company data stolen from their car.
Risk does not imply malicious intent. That is reserved for insider threats – those employees, vendors or partners who plan and execute actions to steal or release data or sabotage corporate systems.
Insider threats are most often financially motivated and are a mix of those who want to personally profit from the sale of sensitive corporate information and IP on the black market – to take that data with them to their next employer to quickly ‘add value’ – or, in rare cases, those who have been engaged by an external third party that has offered to compensate them financially in exchange for their help exfiltrating data.
In rare cases, insider threats are revenge-motivated because of being passed over for a promotion, not getting the salary increase they believe they deserve, or simply due to personal health issues they blame on their employer or co-workers.
In even rarer cases, insider threats can be those individuals who are utilising corporate assets such as PCs and Wi-Fi to engage in criminal behaviours such as black market ecommerce, human trafficking, or Child Sexual Abuse Material (CSAM) collection and storage.
As detailed in the report, the key to stopping a malicious insider is first to identify those who intentionally seek to cause harm. From understanding the underlying behavioural indicators that increase insider risk (including the differences in the way malicious and non-malicious users search, aggregate, manipulate, and transfer data), it becomes possible to detect and disrupt an insider threat before any irreparable harm is actually caused.
Various solutions have been developed that use behavioural changes to identify the indicators of attack. They allow businesses to be “Left of Boom” (i.e., proactively detecting the precursors to an insider threat incident) and stop it before it occurs.
As the report indicates, it is not a good idea to share all the “indicators of intent” publicly because this allows those same super-malicious insiders to cover their tracks. The incident findings clearly show that it is far easier to detect an employee attempting to cover their tracks than it is to identify the exfiltration itself.