Preventing Insider Threats to Cybersecurity

John Ansbach , Brenda Sharton


September 1, 2020

Ransomware continues to be a significant threat to corporate enterprises, with more attackers focusing on large companies in recent months. Threat actors are deploying sophisticated malware in well-planned campaigns that demand more expensive payments, often causing financial and reputational damage. Recently, a disturbing twist in ransomware cases has become more common: an attack either deliberately facilitated or unwittingly supported by a company employee. With an insider’s help, the attack comes swiftly and with devastating impact, compelling the company to pay a large sum and spend untold hours of already scarce resources to recover. 

Even as some employees are allowed back into the workplace, a large proportion may still be operating remotely. As a result, we can expect to see an increase in insider-caused information security compromises as the pandemic continues.

To better understand why this type of attack occurs and how to respond, it is worth examining what insider threats look like and what may motivate these individuals.

“Insider threat” generally refers to a security risk that originates within the targeted organization. Insiders can include current and former employees, consultants or business partners. Some may simply be negligent, used as an unwitting conduit to allow threat actors to steal company information. Other insider threats are borne of intentional acts, with someone either acting alone or with an outside threat actor. These insiders seek to hurt their employer deliberately, leveraging their position, knowledge and access to cause damage.

In the case of the intentionally malicious insider, some of the common motivating factors include money, politics and emotion (e.g., frustration, depression, boredom). As more companies furlough and lay off employees to survive COVID-19, emotions are running high. Many workers are angry. Others face acute financial constraints that could make them more susceptible to outside actors looking for a way in. Those workers who have suffered a pay cut or lost their job altogether may behave in ways they never would have otherwise considered and seek to lash out at their employer. In addition, given the politically charged landscape around COVID-19, some employees will disagree with their employer’s decisions about returning to work, and may act out accordingly.

Such increases in malicious insider activity have followed significant events before. For example, after Hurricane Katrina and the September 11 terrorist attacks, intentionally malicious insider activity became more frequent. The sheer breadth of COVID-19, however, makes this event different. In the United States, real unemployment reached a high of more than 23% this summer, with job losses totaling more than 40 million workers. Under that kind of strain, people may behave differently.

 The increase in non-intentional insiders may be driven by a lack of technological savvy, a desire for convenience or misplaced or inadequately protected devices. In the first months of the pandemic, companies took employees accustomed to working in an office with IT support staff nearby and abruptly shifted them to working from home. Companies introduced or became more reliant on technologies that many employees were not fully skilled at using, to the detriment of security. Couple that with the exponential surge in cyberattack activity observed since the beginning of the pandemic and threat actors who are always looking to take advantage of a crisis, and the odds for a successful attack likewise increase.

For convenience, employees are turning to “shadow IT” (unauthorized applications) more than ever. With entire workforces now either remote or on-site with staggered schedules, employees will inevitably resort to what is available and convenient to help get their work done, Googling for a quick fix and downloading potentially dangerous solutions.

Now that all or most of an organization’s employees and other business partners are not operating from secure office spaces, misplacing or simply failing to protect devices while working remotely is also a real hazard. Consider an employee who leaves a home computer used for work open and accessible to roommates who could see confidential information, or family members whose internet activity could leave the machine vulnerable to malware. 

These factors create ideal circumstances for a dramatic increase in insider threat activity. Companies can address the increased threat by taking proactive steps, such as:

  • Implementing monitoring, detection and response tools to promptly identify or even stop anomalous, suspicious activity
  • Deploying policies and controls that disallow the use of unauthorized tools
  • Monitoring employee activity, such as tracking email traffic, and using data loss prevention tools to log files accessed (after consulting with an employment lawyer)
  • Increasing employee training, with a specific focus on cybersecurity challenges associated with remote work

Companies that leverage their resources to anticipate insider threats and defend against them before real damage stand the best chance of mitigating this growing risk.

John Ansbach is vice president of engagement management at Aon Cyber Solutions, where he leads digital forensic investigations as well as cybersecurity incident and data breach response projects.
Brenda Sharton, a senior litigation partner with Goodwin, is a first chair trial lawyer and global chair of the firm’s privacy and cybersecurity practice.