IT security leaders and CISOs face daily challenges in safeguarding their organizations from an increasingly sophisticated and diverse range of cybersecurity threats. While criminal hackers pose a significant risk, one of the most difficult threats to protect against comes from malicious insiders who may have privileged access to confidential data and systems.
What is a malicious insider?
A malicious insider is an individual within your organization who decides to use their access credentials to steal, share, or leak sensitive information or privileged accounts outside your organization. A malicious insider could be a disgruntled current or former employee who holds a grudge against the organization, or they could simply be motivated by greed or a desire for notoriety. They could be an otherwise trustworthy individual who is presented with a compelling opportunity to sell confidential information to a competitor.
Whatever the motivation or circumstances, malicious insiders present a real threat to organizations of all sizes, in all sectors. The exfiltration of data, customer information, or sensitive intellectual property can be commercially and financially damaging to an organization. And the damage can be hard to undo.
In this article, we take a closer look at the insider threat landscape and some of the common techniques used by malicious insiders, highlighting some real-life examples of malicious insider attacks. We explore some of the data loss prevention techniques you can deploy, and the insider threat detection and prevention tools available.
Growing risks: the insider threat landscape
An Insider Threat Report by Cybersecurity Insiders in 2023 identified that almost three quarters of organizations (74%) are vulnerable to some extent to insider threats. According to a 2021 Data Breach Investigation report by Verizon, internal sources were responsible for 44% of all data breaches experienced by small and mid-sized businesses, and 36% of all data breaches at large organizations.
These risks have been exacerbated since the Covid-19 pandemic, when 81% of the global workforce had their workplace fully or partially closed. This along with the reduced visibility of IT and security teams makes it much harder for organizations to monitor the activity of employees, and control their access to sensitive data. The tech industry lay-offs of 2022 added 121,000 tech workers to the pool of potentially disgruntled employees, leading to an increase in malicious insider threats.
Real-life examples of malicious insider cybercrime
A whole range of techniques is used by malicious insiders to access and share sensitive information, from social engineering and manipulation to privilege abuse, unauthorized access, and sabotage.
Two of the most high-profile cases of malicious insiders from recent years are Julian Assange, the founder of WikiLeaks, whose website exposed large sets of secret information supplied by anonymous sources, and former National Security Agency (NSA) employee, Edward Snowden, who leaked the so-called NSA PRISM project. But not every case of insider data leaking hits the headlines. Here are some everyday examples of the threats posed by malicious insiders:
Fired employee disrupts medical equipment deliveries
One such case involves a former employee of a medical device packaging company who was let go in early March 2020. After he was given his final paycheck, Christopher Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records. This caused significant delays in the delivery of medical equipment to healthcare providers.
Employee sells data for financial gain
In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web. The breach affected 547,000 customers and in 2018, after an investigation by the ICO, Bupa was fined £175,000.
Current employee manipulated into leaking trade secrets
In July 2020, details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company.
The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially sensitive calculations to a co-conspirator. This extraordinary inside job shows us that Delia used email to “hack the human” to gain access controls. It demonstrates the importance of robust email threat protection.
Ex-employee uses unauthorized access to sabotage data
The case of San Jose resident Sudhish Kasaba Ramesh serves as a reminder that it’s not just current employees that pose a potential threat – but ex-employees too. Ramesh received two years’ imprisonment in December 2020 after a court found he had accessed Cisco’s systems without authorization, deploying malware that deleted more than 16,000 user accounts and caused $2.4 million in damage. The incident emphasizes the importance of properly restricting access controls – and locking employees out of your systems as soon as they leave your organization.
Amazon employees leak customer data
In October 2020, many Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party”. Amazon said that the “employee” had been fired – but it later emerged that there may have been multiple “bad actors”. This wasn’t the first time the tech giant’s employees had leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018. If you want to prevent a data breach, managing insider threats via email is critical.
Ex-employee offers 100GB of company data for $4,000
Police in Ukraine reported in 2018 that a man had attempted to sell 100GB of customer data to his ex-employer’s competitors – for the bargain price of $4,000. The man allegedly used his insider knowledge of the company’s security vulnerabilities to gain unauthorized access to the data. This scenario highlights another challenge to consider when preventing insider threats – you can revoke ex-employees’ access privileges, but they might still be able to leverage their knowledge of your systems’ vulnerabilities and weak points.
Security officer’s devastating cyber-crime spree
In 2017, a California court found ex-security officer Yovan Garcia guilty of hacking his ex-employer’s systems to steal its data, destroy its servers, deface its website and copy its proprietary software to set up a rival company. The cybercrime spree was reportedly sparked after Garcia was fired for manipulating his timesheet. Garcia received a fine of over $316,000 for his various offenses.
The sheer scale of the damage caused by this one disgruntled employee is pretty shocking. Garcia stole employee files, client data and confidential business information, destroyed back-ups and even uploaded embarrassing photos of his one-time boss to the company website.
How to detect malicious insider threats and prevent data loss
Insider threats can be far more difficult to prevent than attacks from outside the organization, since they are essentially invisible to traditional IT security systems, like firewalls. That’s because insiders already have the credentials to access secure networks and services. And the pool of potential malicious actors is huge, including both current and former employees, third-party suppliers, contractors, and any other business partners who may have access to your internal systems.
That’s why insider threat detection requires a diversified strategy, combining IT tools and human resources to identify potential threats and prevent data loss. New innovations in machine learning and artificial intelligence can help overstretched IT and human resource departments to analyze employee behavior and data-related activity to identify anomalies and potential threats.
Intelligent technology to prevent data exfiltration
Tessian Enforcer proactively stops sensitive information from leaving your environment via email. It uses machine learning and behavioral intelligence modeling to automatically detect and prevent data exfiltration and non-compliant activities, helping to safeguard your company’s intellectual property. Analyzing user behavior is one of the most important elements in protecting against insider attacks. Tessian Enforcer also provides visibility of email data exfiltration events and insider threats, so you can easily identify any data being transferred by high-risk end-users inside your organization.
Find out more about how Tessian stops insider threats by email, or download our data exfiltration data sheet for more information.