Insider Threats Increase with Work to Home Employees

The Covid-19 pandemic has led to dangerous gray areas for employers, such as new BYOD policies, thanks to the rapid and required shift to remote working. The work to home (WTH) phenomenon has cause numerous cyber challenges. This creates an ‘insider threat’ scenario. Yes, trusted employees working at home could become an insider threat, though most likely an unwitting threat.[1] Many company cyber security professionals are starting to seriously examine the changing nature of traditional insider threats. Years ago, protecting against insider threats meant focusing cybersecurity efforts on keeping bad actors out of a network. In recent years, especially since Covid-19, hackers have executed increasingly sophisticated attacks to compromise employee credentials, which, when successful, allows bad actors to impersonate employees and thereby making many traditional cybersecurity defenses somewhat obsolete. Today, there is a growing problem: data exfiltration (any unauthorized movement of data) that happens more quickly than ever. And with the recent rapid and urgent shift to support remote workers, at scale to expect will force an alarming increase in data exfiltration opportunities for bad actors.

Although the toll of an insider attack in North America can cost a company more than $11 million a year, many still consider insider threats to be too rare to constitute a real threat. Attacks resulting from insider threats are widely regarded as extreme outliers and consequently taken less seriously by leadership and security teams.

All companies should be mindful of dangerous ‘gray areas,’ especially when considering attackers are always looking for the path of least resistance (WTH). These gray areas may include new bring-your-own-device policies and shadow IT devices that result from the rapid shift to remote work or high employee turnover rates. The average impact of insider threats does not track the frequency of them. Even if the average per-breach loss to a company is minor, cumulative losses can intensify if insider threats occur frequently. Compounding the damage, this does not include reputation loss, which is tough to measure and much more difficult to overcome.

The threat landscape has broadened and diversified, especially since the COVID-19 outbreak in March 2020. The global workforce is now largely remote and can work from just about anywhere, not just at home. There has been a big increase in the purchase and renting of properties in resort areas. A lack of security awareness of exploits, such as email phishing attacks and voice phishing attacks that target employee VPN credentials can be costly. The use of “Free” and shared ISP connections has not helped this situation either.

Reduced and changing worker loyalties to employers and higher employee churn rates also expand the gray area. Examples include unintentional misbehavior and misuse of resources, neglected security vulnerabilities, violations of company policies, and theft. The 2018 trade secret dispute between Waymo and Uber underscores the huge risks employers face in safeguarding intellectual property (IP) when employees leave.

Not all gray-area cases result in catastrophic losses, but they can quickly become very costly in combination. A growing number of smaller cases occur below scrutiny with a rare mention from victimized companies. The danger is that negligent and malicious practices in the gray area become widely accepted without acknowledgment and action. Besides a strict reinforcement of nondisclosure agreements that protect company IP, employees must understand that preserving confidential information from a previous employer is unlawful. Employee awareness and training are important factors in changing employee attitudes about ethical standards in the workplace, and employers must be prepared to practice what they preach.

It is recommended that company leadership dedicate resources to consistently uphold these ethical principles, even if it means denying new employees from sharing information from their prior employers that could benefit you in the short-term. A company HR department must take the lead on this prior, during and post- employment of all employees at all salary levels.[2]

Another area for improvement involves deploying network monitoring tools to track vital company IP and other critical assets across cloud, data center, Internet of Things (IoT), and enterprise networks. Do you know where your organization's most important assets reside? If a malicious insider were to gain access via lateral movement or another means, do you have data protection policies deployed?

The ever-expanding gray area of insider threats, forces businesses to think beyond simple monitoring for forensics and litigation purposes. Instead, anticipate the actual threat itself by proactively detecting and responding to malicious behaviors that can lead to a data breach or theft.

The truth is the red flags that often denote an insider threat are hard to delineate from false positives or other risks. Unfortunately, the key to pulling off an effective attack as a malicious insider is in the details. You must blend in with normal behaviors, use the access you have, and be mindful not to overstep authorization to avoid detection before your cyber strategy plan can be enacted.

Let us say you are looking to reduce the likelihood of these insider jobs. You must first understand that while these are often not premeditated, your security team and other personnel must be prepared to spot anomalies in their everyday workflows. Do all employees need to have access to all company data?

Is that all you need to do? Actually, no. Having tools and services looking in the deep/dark web is essential to a well-rounded cyber protection plan. Insider threat information must be checked in the deep/dark Internet. The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks, yet utilizing the RedXray and CTAC collection and analysis tools by Red Sky Alliance, will ensure a proactive approach to cyber security. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:

https://attendee.gotowebinar.com/register/8782169210544615949