When the Threat Is on the Inside
"Security is always excessive, until it's not enough."
- Robbie Sinclair, Security Expert
On June 17th 2018, Tesla employees received an explosive email from CEO Elon Musk announcing that Tesla was filing charges against one of its own employees, Martin Tripp. The employee was accused of modifying internal product coding and sharing sensitive data with unknown third parties, without authorization, with the intention of sabotaging development of proprietary intellectual property.
The Tesla case is a classic example of an insider threat wherein a member of the organization breaches company trust with confidential information. A recent study conducted by Gartner found that security incidents due to insiders have increased by an overwhelming 47% since 2018. They determined that employees were 85% more likely to leak sensitive files than they had been in previous years.
Tesla is not alone in this matter. Microsoft, Boeing, Google and even the U.S Department of Defense have been victims of an insider threat. It is easy to prepare for an attack from the outside. Everything from security guards who stop intruders, to the firewalls that stop hackers, are designed to prevent an external attack on your organization. But what do you do when the attacker is on the inside? An employee or a colleague, someone you trust? We might have some answers.
Malice or Mistake?
Insider threat brings to mind the idea of saboteurs and spies. While those types of people do exist, insider threat can also arise from otherwise innocuous employees, who stumble into a bad situation. Not all threats come from deliberate actors, in collaboration with rivals, or for money. Nor do all actors operate with the intention of causing harm to the organization. Sometimes they happen involuntarily, due to ignorance or carelessness.
The Gartner study classifies insider threat into four categories, the Pawn, the Goof, the Collaborator, and the Lone Wolf.
The Pawn: Employees who fall victim to spear-phishing or social engineering, and are tricked into giving up access to sensitive information are known as pawns. They can be targeted through malware, unknowingly downloaded onto a workstation. They can also be conned into disclosing security credentials to somebody pretending to be a helpdesk operator.
A recent example of a pawn being responsible for a major security brief occurred at the Australian National University in 2018. A spear-phishing email was sent to a staff member at the university which was previewed and then deleted. But the act of previewing the email was enough for the hackers to steal the staff member’s username and password, which then gave them access to the university’s servers.
The threat of security breach due to pawns have become much higher since the COVID pandemic has forced a lot of employees to work remotely, and on their personal computers.
The Goof: The Goof is the most likely of insider threats, and the one best guarded against by developing a strong security culture. Goofs do not act with malicious intent but they do cause breaches in the security framework through carelessness or possibly because they don’t expect to be targeted. Higher-level executives are often at fault for goof-ups because they feel that security measures should not apply to them. A goof trades security for ease of access.
Microsoft fell victim to the actions of a goof in 2019. A customer support database, containing email ids, IP addresses, and case details of customers, was discovered to be publicly accessible on Azure. The breach had occurred because employees had been storing customer information on the cloud server to bypass the need for a password or two-step verification. Though the breach was plugged as soon as it was discovered, the data was openly accessible for over a month prior.
The Collaborator: A collaborator, also known as a turncloak, is a malicious operator who deliberately creates a security breach in collaboration with other actors. Collaborators use their access as employees to intentionally harm the organization. Collaborators are hired to carry out acts of industrial espionage, steal intellectual property, or disrupt day-to-day operations. They can also operator internationally, working on behalf of a governmental body or nation-state.
The Chinese government, for example, has been accused of employing collaborators to steal intellectual property. In 2007 Chi Mak, a Chinese national was convicted in the United States after he confessed to passing on defense related intelligence to the Chinese state. Chi Mak admitted that he had sought employment in the US for the sole purpose of infiltrating the defense department as an employee.
The Lone Wolf: Similar to collaborators, lone wolves act with malicious intent, but unlike collaborators, they act alone. Lone wolves can be motivated by money, where they hope to sell sensitive data or access to any future buyers, or they can be acting out a vendetta, payback for a grudge or complaint. Lone wolves are most dangerous when they possess high-level security clearance. Former employees who still have access to company systems, pose a BIG security risk, if they decide to turn malicious.
The Waymo incident stands out as one of the worst cases of a lone wolf attack on a major organization. A software engineer working for Google was arrested and charged in 2018 with the theft of over 14,000 sensitive documents, relating to the working of Alphabet’s autonomous vehicle AI system Waymo. The engineer had stolen this data and used the information to set up a rival company called Otto, which was later sold to Uber. As a result of this crime, Uber had to pay a settlement to Alphabet, as well as transfer ownership of the AI. The engineer was sentenced to pay a large fine and serve jail time.
Boeing taken for a ride: The Greg Chung Case
In 2009, the first ever economic espionage trial was held in the U.S. An employee of Boeing named Dongfan ‘Greg’ Chung, was arrested and indicted for stealing sensitive data from the company, with the intent of passing it on to sources in the Chinese Government. Chung worked as an engineer for Boeing, and was privy to classified projects including some that had a bearing on national security. The indictment stated that Chung had stolen 300,000 odd pages of sensitive papers, which he had kept with him at home, and was caught while trying to carry it with him to China. He is alleged to have been paid around $3 million by the Chinese Government or other third-parties.
This incident happened at a time when the world was still adjusting to the rapidly developing IT industry. Our understanding of digital threats and security have come a long way since. The idea of a Boeing employee today, being able to walk out of the premises with any kind of sensitive information, seems ridiculous. But such attacks continue to happen, advancements in physical and digital security notwithstanding. Which indicates that we need a security solution that goes beyond the obvious.
How do you protect yourself?
Former Assistant Director of FBI’s Counterintelligence department Frank Figliuzzi believes that security is about more than just passwords and firewalls. Such measures can be used to protect digital data in the cloud, or on a hard drive somewhere, but they cannot combat human failure. According to Figliuzzi,
“Detecting bad actors within ranks is complicated for a number of reasons. First, it involves a very holistic approach. By that, I mean the answer is not entirely a security answer; it’s a human resource issue... [and] requires all hands-on deck.”
With that in mind, we have identified two important aspects of security today. First is cybersecurity. Holistic security solutions may be about more than passwords and firewalls, but those are still our best defense. The second, is developing a security culture, that goes beyond your basic cybersecurity measures. Let’s take a closer look at both.
Implementing Cybersecurity Solutions
Data encryption: The simplest and most obvious step you can take to protect your data is to encrypt it. Encryption is a process that transforms data into code, making it impossible to be read by anyone without the correct authorization. Encrypt all data entering and leaving the company as a matter of course.
Educate employees: It is important that the workforce, especially key employees or those with access to sensitive information, be educated in the basics of cybersecurity. As discussed earlier, insider threats can arise from employees who unknowingly give access to malicious actors or fall victim to spear-phishing attacks. Security breaches can also occur through negligence and bad security practices. Educating your employees in basic cybersecurity measures and making them aware of the vulnerabilities of the system they have access to, can prevent a breach from occurring.
Restrict access: Not everyone needs to know everything. Compartmentalize access to sensitive information. Make sure to revoke ids and remote access when employees leave the organization (Especially if the parting was not amicable!)
Developing a Security culture
A report by Ponemon Institute found that 70% of security breaches in healthcare occur due to employee negligence, not hacking. To have a holistic approach to security, organizations need to go beyond conventional cybersecurity measures and create a culture of security.
Security is a shared concern: The first step is to instill in your employees the idea that security is a shared concern. It is not just the IT or the security department that is responsible for company security. Every employee must play their part in the process. Make security a part of the company’s vision and mission; hold regular training programs that teach employees the basics of security; have a clear security policy for the organization.
Awareness and accountability: The next step is to create awareness about potential security threats. Be open about the threats that your organization faces. Make security breaches teachable moments, so that your whole staff can learn from them. Having made them aware, also make them accountable for combating such threats.
Reward trust: Make it a habit to reward good behavior and trust. Have a little graduation ceremony for those who complete security training. Offer a small cash prize. Celebrating security awareness will incentivize other employees to undertake similar training. When employees show consistent compliance with security policies, reward them with small bonuses and attention.
Have a playbook- Don't be caught unaware, when a security breach occurs. Have a playbook, that all the relevant members of the team are informed of so that you can take the appropriate measures in a timely fashion. Data breaches caught early can also be plugged early.
When Tesla was attacked, they did a few things right. They immediately made their employees aware of the attack, and didn’t try to cover it up. The attack became both a teachable moment and a warning for any future attackers. Tesla clearly also had a solid playbook to depend on, and were able to plan their next steps without panic. A robust cybersecurity plan to prevent such attacks would have been ideal, but they don’t always work. In such situations, having a well-developed security culture is imperative.
Insider threat is an uncomfortable subject to strategize for, especially because you are expected to view your colleagues and employees with a measure of distrust, while planning to safeguard your organization. Ultimately, finding the balance between security and trust is a tightrope act that all organizations have to perform. You need to find a way to reinforce security concepts within your organization, catch potential breaches of security before they occur while still maintaining an atmosphere of trust. There is no one-size-fits-all solution to the issue, and it will be up to you to figure out how to deal with it.
Are you looking for a job in Information Technology?
See all of our current openings here!
Check out our latest video on YouTube!
About the Company:
Peterson Technology Partners (PTP) has been Chicago's premier Information Technology (IT) staffing, consulting, and recruiting firm for over 22+ years. Named after Chicago's historic Peterson Avenue, PTP has built its reputation by developing lasting relationships, leading digital transformation, and inspiring technical innovation throughout Chicagoland.
Based in Park Ridge, IL, PTP's 250+ employees have a narrow focus on a single market (Chicago) and expertise in 4 innovative technical areas;
Cloud & DevOps
PTP exists to ensure that all of our partners (clients and candidates alike) make the best hiring and career decisions.
Peterson Technology Partners is an equal opportunity employer.