The number of businesses facing cyberattacks perpetrated by current or former employees is on the rise according to new research. So-called insider threats are a growing problem for companies, particularly as more and more staff consider career changes after the Covid-19 pandemic.
Insider threats accounted for 35% of all unauthorised access threat incidents in the third quarter of 2022 recorded in a study from risk management company Kroll. It says this figure represents the highest rate of insider threats since the report began.
What are the cybersecurity insider threats companies face?
The Kroll report shows that insider threats rose from 24% of all incidents in Q2 to 35% in Q3. The figure for the first quarter of the year had been 31%.
The authors say the so-called "great resignation", which saw tech workers and staff in other sectors seeking out new roles following the pandemic, has created an additional security risk. "The risk of insider threat is particularly high during the employee termination process," the report notes. "Disgruntled employees may seek to steal data or company secrets to publicly undermine an organisation, while other employees may seek to move over data – such as contacts lists and other proprietary documents – that they can leverage at their new organisations."
An example noted in the report saw an employee attempted to steal gigabytes-worth of data by copying it over to cloud storage networks. "In this instance, the company followed a standard protocol that included disabling the user’s accounts and deleting data from cloud storage accounts accessible to them," the authors said. "Months after the employee left for a competitor, the organisation began to suspect that the individual was using company data at their new position in order to enhance sales efforts.
"A review of the individual’s personal laptop identified that they had created copies of company data on multiple cloud storage accounts and personal data storage devices when they still had access to the corporate network. A review of the individual’s web browser history also identified multiple searches related to personal cloud storage and deleting log files."
State-sponosored hacking groups have also been known to offer staff financial incentives to carry out cyberattacks on their employers. In 2020, it was revealed that a Russian criminal gang offered a member of Tesla's staff $1m to plant malware at the electric vehicle company's gigafactory in Nevada. The attack was only foiled because the conscientious employee turned informant, working with the FBI to bring the hackers to justice.
Elsewhere, the report shows that email compromise was the most common type of attack in Q3.
The report notes a decline in the number of ransomware breaches. They accounted for 33% of incidents in Q2, but just 24% in Q3.
What can businesses do about cybersecurity insider threats?
Insider threat is "a unique problem in cybersecurity,” says Jaycee Roth, associate managing director at Kroll. “Unlike the usual circumstances in cybersecurity, where you are defending the network from (at least in the initial attack stage) external attackers, in an insider threat situation, you are defending the business from someone on the inside," Roth says. "This can be particularly difficult, as the user often won’t raise any red flags and could have a high level of permissions and access rights.”
He adds that the only way organisations may be able to identify the threat in is through suspicious behaviour, "such as detecting mass downloads or uploads".
Roth adds: "This therefore makes file and folder access auditing - in addition to logging on-file transfer services - particularly important for tracking, especially within regulated industries or with servers containing sensitive data. Failure to monitor closely could mean that the real damage has already been done by the time you recognise an incident has occurred."
Read more: CISOs on the board - how the role of security in the boardroom is changing
Homepage image by Song_about_summer/Shutterstock