By Findlay Whitelaw, Senior Director, Insider Threat Program, Solution Engineering
Insider threats remain a persistent concern for all organizations globally, regardless of the industry, structure, or size. When we generally think of insider threats, most think of malicious or self-serving incidents that are widely reported. One of the most infamous examples is the case of Edward Snowden, a former CIA and NSA contractor, who leaked classified information from the NSA, revealing the extent of the US government’s global surveillance program. Another high-profile case was a former Apple employee who worked in the research and development department, whom the FBI arrested for stealing confidential data. The former employee of Apple was said to have stolen engineering and electrical schematics, and reference manuals, for a self-driving vehicle project. While these cases hit global headlines, many insider cases fly under the radar, particularly cases where insider threats were accidental. This may be in part due to the non-malicious intent of the incident; however, these types of insider-related incidents are no less of a concern, but are equally devastating to organizational reputations and economic well-being.
Focusing on an accidental insider case, it has been suggested that heightened stress levels and workplace fatigue may have been contributing factors, at Twitter, where there were recent job cuts. This is recognized as a contributing factor of increasing the likelihood of insider threats, which was highlighted in our recent blog, Insider Threat Profile Case Study: The Accidental Insiders, A Trifecta of Data Theft, Sabotage, and Fraud. Nevertheless, learnings from recently publicized accidental insider incidents should be taken, including from Twitter’s recent outage, where we saw thousands of US and UK users unable to send tweets. The outage was attributed to an error by a platform engineer. In another recent accidental insider incident, a Samsung engineer used ChatGPT to try and fix source code, which resulted in a series of data leak incidents, one of which included the source code of a top-secret application. These are just two well publicized accidental insider threat cases. However, it is critical to understand why accidental insider threats are so prevalent and discuss the top three key drivers of such incidents.
Human layer of security
Human error is one of the primary reasons behind accidental insider threat incidents and is said to be responsible for 90% of data breaches. We touched on the human element of insider threats in one of our previous blog posts, ‘4 Steps to Maintain Employee Trust When Setting Up Your Insider Threat Program.’ Here, we discussed the human layer of security and how we as social beings are susceptible to making mistakes. Also, how we are predisposed to trust, therefore, vulnerable to social engineering attacks. Furthermore, as noted in the Twitter incident, employee fatigue and stress can also contribute to employees making mistakes. In addition, disengagement due to organizational misalignment can further impact employees’ decision-making within a workplace environment. Therefore, organizations must recognize these factors to nurture a positive security culture, promoting open communication and a continual learning and accountability mindset.
Training and awareness programs
Accidental insider incidents often include phishing attacks, misuse, inadvertent errors, and end-user mistakes. Undoubtedly, one of the most effective ways to prevent accidental insider threats is to educate employees on security risks and how to identify the threats, including social engineering campaigns. As well as educating employees on how to identify and report suspicious behavior. Insider threat training and awareness programs should also ensure that all employees (including contractors and contingent workers) understand insider risk and insider-related threats that organizations face. Organizations must also go beyond deploying traditional compliance-based security training and awareness programs to inspire long-term, sustained behavioral and cultural changes across the organization. The focus should be on developing a human-centric security design, ensuring that training, tools, and materials are centered around the needs, behaviors, level of knowledge, and experience to change employees’ behaviors, habits, and attitudes. The benefit of this approach is underpinned by a study, which found that 90% of employees admitted to participating in unsafe online activity at work, despite acknowledging the associated risks. Insider threat-related security training and awareness programs may also look to reinforce their security protocols and insider threat program by regularly including the following topics (not exhaustive):
- Data privacy/GDPR
- Encryption and data handling
- Information technology acceptable usage policies
- Codes of conduct
- Insider trading
- Competition laws
- Conflicts of interest
- Social engineering; vishing, smishing and phishing
- Browsing securely and Wi-Fi
- Importance of password security and multi factor-authentication
- Importance of software updates
Insufficient security protocols
As highlighted in the Samsung incident noted earlier, the lack of awareness or consideration of security protocols and related policies, including and reflecting the use of emerging technologies (such as AI), also drives accidental insider-related incidents, primarily when they are not focusing on protecting organizational crown jewels and sensitive information. In addition, having sanctioned access to applications, such as ChatGPT, with no risk assessment, guidance, or guardrails increases the risk of unintended and accidental insider incidents. This increases the likelihood of legal and regulatory fines and sanctions, not to mention the loss of consumer trust and reputational impacts.
The list above of potential insider threat training and awareness topics will help strengthen the security culture. However, the lack of adequate awareness, implementation, enforcement, and governance of security policies by employees who practice poor security hygiene, with weak passwords, lack of encryption, inadequate access controls, and lack of monitoring negate efforts still persist. Therefore, monitoring capabilities, including security information and event management (SIEM) and user and entity behavioral analytics (UEBA), can be a powerful tool to reinforce security monitoring protocols and detect insider threats, detect abnormal or suspicious activity. SIEM and UEBA will provide early detection capability, identify anomalies, and prioritize threats based on a suite of out-of-the-box policies.