Feature article - Rogue employees: The insider menace
Dr Dexter Morse, global head of insurance and risk at Arxada, looks at how companies can protect themselves from the effects of negligent or malicious employees
Research by security firm AlgoSec, SANS Institute and Krall all confirm that the greatest threat to your company and network comes not from the hackers on the outside trying to get in but from your own employees who want to cause mischief or who inadvertently cause damage from within. Insider threats affect more than 34% of businesses globally every year. 66% of companies believe that insider threats are more likely to happen.
This is borne out by research from Panda Security, which shows that insider threats have increased by 47% over the last two years. Rogue employees can severely harm an employer and inflict substantial damage in many different ways.
* Destroying computer files and vandalising company property
* Embezzling money
* Social media campaigns to defame the company
* Trashing your reputation
* Removing and shredding important records and documents
* Upend business activities by reporting suspicious packages to emergency services.
* Causing the company to incur expenses, liability or fines from regulators and authorities, litigation, etc.
* Trade secrets (i.e. client information, codes, etc.) being disclosed and shared with rivals
Negligent employees
There are two kinds of insider attacks: negligent and malicious. The former are those who disobey rules and protocols or are average employees who make a mistake. They might, for example:
* Leave their computer unlocked while they go to the bathroom or for a coffee
* Leave their login IDs and passwords on sticky notes posted to their computer monitor
* Share sensitive information in emails
* Email company data to personal accounts to do some work over the weekend
* Fall victim to phishing attacks, leave client lists or confidential presentations on whiteboards in meeting rooms; or
* Forget company laptops, phones or documents on public transport
Two thirds of insider threat incidents are caused by negligence. Negligent insiders who have their credentials stolen account for 25% of all incidents. On average 800 emails/year are sent to the wrong people from companies with over 1,000 employees.
Unintentional rogue activities are random, difficult to plan for and therefore a greater risk and more common than intentional ones. Particularly alarming is the fact that many ex-employees often still have access to confidential or highly confidential data at their previous employer.
Phishing attacks account for 67% of accidental insider threats and are the oldest way for hackers to penetrate a company network. They often occur in the form of emails that aim to trick the users into clicking on a corrupt file and downloading it or clicking on recognisable links like calendar invites. Once the malware is on the company computer, it can download keystroke logging details and gain more sensitive information.
Malicious insiders
Malicious insiders use their company access against the company and there may be various motivations for doing so. The main motivations seem to be money, a competitive edge or revenge, but some just do it for fun. Since the outbreak of COVID-19, 81% of the global workforce had their workplace either fully or partially closed. Instability, furlough and employees being laid off, combined with reduced visibility of IT and security teams, led to an increase in malicious insider attacks.
Some individuals stay up all night to find ways around the rules and procedures for financial gain. They are intelligent, cunning and motivated, and as such are especially dangerous to an organisation.
In July 2020 information came to light of an employee at General Electric, Jean-Patrice Delia who exfiltrated over 8,000 sensitive files from GE’s system over eight years, intending to leverage his professional advantage to start a rival company. Delia persuaded an IT administrator to grant him access to files and he emailed commercially sensitive calculations to a co-conspirator. He was sentenced in November 2021 to two years in prison and ordered to pay restitution of $ 1.4 million.
Disgruntled employees and revenge seekers hold a grudge and wish to harm the organisation. When they quit or are fired they may steal proprietary information and leak it or cause damage to the organisation by contacting suppliers, shareholders, authorities, regulators etc.
One such example involved Christopher Dobbins, VP of finance, who US medical supplies company Stradis let go in March 2020. After his final salary payment, he hacked into the company’s computer network, granted himself administrator access, then edited and deleted almost 120,000 records. This caused significant delays in delivery of medical equipment. Dobbins was sentenced to one year in prison and ordered to pay $221,000 in restitution after pleading guilty.
Employees with secret political affiliations and loyalties range from a sophisticated art expert employed by the British royal family (Anthony Blunt) to the nice 87-year-old lady next door (Melitta Norwood, the inspiration for the film ‘ Red Joan’) or women used as honey traps, such as Anna Chapman.
Aerospace engineer Greg Chung was convicted on charges of economic espionage and acting as an agent of China for more than 30 years while employed by Rockwell and Boeing, from whom he stole restricted technology and trade secrets, including information relating to the space programme and the Delta IV rocket. The case against Chung resulted from an investigation into another engineer, Chi Mak, who worked in the USA and obtained sensitive information for China. He and several of his family members were convicted of providing defence articles to China and he was sentenced to 24 years.
When FBI and NASA agents searched Chung’s house, they found more than 250,000 pages of documents from Boeing, Rockwell and other defence contractors. Chung was sentenced to almost 16 years.
Employees with mental health issues can harm themselves, their colleagues and the organisation. Research in 2020 by BUPA and Business in the Community (UK) found that 41% of employees say they have experienced poor mental health where work was a contributing factor, up from 39% in 2019. The most common cause was pressure, followed by workload, long hours and not taking enough leave.
Alarmingly, 30% of employees affected by poor mental health admit to telling nobody about it. This is even higher among males, even though early diagnosis has a positive impact on the long-term prognosis of mental health conditions. One in four of us will be affected by mental health issues of some kind and this is exacerbated due to stresses of job insecurity, home working and pandemic fatigue.
What are the threats?
Research by Observe IT found that 55% of organisations believe that privileged users, those who have the most access to a company, present the greatest risk. Companies can do their best to stop known attacks, but attacks from users who intentionally or accidentally allow malicious actors to gain access are difficult to track and hard to stop, and such attacks can happen to anyone or anywhere.
US cyber security solutions company Fortinet surveyed IT professionals and found that fraud (55%), monetary gain (49%) and IP theft (44%) were the three biggest reasons why an insider threat attack occurred. Interestingly, the most vulnerable areas of companies are the finance (41%), customer success (35%) and R&D departments (33%). Companies also need to be aware of their trusted business partners, contractors and consultants.
According to Insights Insider, trusted business partners incidents were perpetrated these incidents in 15-25% of cases across all incident types and industry sectors. Companies trust business partners with sensitive information. They can still use this for personal gain or could also fall victim to an insider attack. Research by data and threat protection firm Bitglass revealed that 57% of insider threat actors are contractors and consultants.
According to Security Round Table, 85% of organisations find it difficult to determine the damage of an insider attack. Downtime, lost customers and lawsuits might cause additional damage. Things get much worse the longer the attack goes on and if insider information was stolen.
What is the cost?
According to IBM, it takes an average of 197 days to identify a data breach and a further 77 to recover from one. Identifying the breach means stopping production, locating the source and mitigating it. Insider attacks that take a long time to resolve cost $6.58 million more than those that are resolved quickly.
Basically, the longer it takes, the more it costs. Incidents that take more than 90 days to resolve cost an average of $13.7 million/year, as opposed to $7.12 million for those lasting less than 30, according to Panda Security.
The cost of insider threat incidents varies based on the kind of incident, with incidents involving stolen credentials causing the greatest financial damage. However, costs have been steadily rising for all incidents. Overall, the average global cost increased by 31% from $8.76 million in 2018 to $11.45 million in 2020, with the largest part spent on containment, remediation, incident response and investigation. There are also large regional variations with incidents in North America being the most costly and nearly twice as much as those in Asia-Pacific.
What can employers do?
Negligent employees can be reminded of the risks they can pose to their organisation by regular cyber security training. However, this is often not effective in practice. In a recent survey by SC magazine, nearly 70% of employees polled said they had recently received such training but 61% of employees failed when asked to take a quiz on that topic.
Some companies are using tools to monitor for insider threats, including data leak prevention software, user behaviour analytics software use and employee monitoring and surveillance as a line of defence where permitted by local law. However, data from 2021 suggests a shortfall in security monitoring might be contributing to the prevalence of insider threat incidents. Only 28% of firms said that they used automation to detect anomalous activity and 28% only monitor access logs, while 14% do not monitor user behaviour at all and 10% only monitor it after an incident has occurred.
Tessian, a cloud email security platform, has found that most companies rely on security awareness training, following company policies and procedures, and machine learning and intelligent automation. It is advisable to establish clear written expectations relating to employee departures. Draft policies and incorporate specific terms into employment contracts about the obligations of departing employees (confidentiality, fidelity, mutual trust and return of company property (office keys, hardware, passwords, etc.)) and non-solicitation of employees and customers.
Tessian found that 45% of employees download, save, send or otherwise exfiltrate work-related documents before leaving a job or after being dismissed. It is also advisable to have a clear exit strategy which reflects the employee’s role in the business, the information and systems they have access to and whether that access has been permanently severed.
It may be appropriate to restrict or change the employee’s duties when they are leaving, i.e. allocate them more administrative tasks with limited access to information which they might use at their next employer. It may also be appropriate to place the employee on paid ‘garden leave’, especially where s/he could be disruptive in the workplace or jeopardise customer relationships.
If the business has any concerns about the potential actions of a departing employee during their notice period invoking payment in lieu of notice clause would be the preferred option to terminate the relationship immediately and protect the business. Prevention is better than cure; it is easier and more cost-effective for employers to prevent damage or loss by ensuring their employment contracts contain the provisions they can rely on to manage the exit effectively.
The appropriate steps to take will vary depending on each employee and the scenario. Employers should examine company computers, mobile phones and e-mail accounts to find evidence of improper conduct where the employee has departed under dubious circumstances and work with IT providers to secure data and prevent data theft or sabotage. They should ensure they have policies in place giving them the right to monitor and examine the use of the company’s electronic equipment.
Lawsuits involving employees who have gone rogue frequently lack evidence. Prior to engaging in expensive and protracted lawsuits, employers should gather evidence proving the unlawful conduct and the harm caused to the business. Time is of the essence. Employers should act swiftly when they discover that a departed employee has retained confidential information or company property to ensure they do not waive their legal rights and to limit the potential damage.
Supporting employees
During these challenging times, it is important that employers are seen to be supportive and empathise with their employees, which can reduce hostility and thus the tendency to go rogue. As a minimum, this should include regularly checking in with team members to reduce isolation feelings and providing opportunities to raise issues and concerns. Cisco, for example, offered its employees a digital care platform called Wellthy, a dedicated care co-ordinator which helps employees manage the logistics – finances, legal, needs, housing and mental health – of everything from supporting elderly parents to caring for a child with special needs.
Many companies offer their employees the opportunity to work for a month or more abroad, giving employees a change of environment and an opportunity to refresh. During lockdown, US company Rocket assigned everyone days off that would not count against their holiday entitlement so they could relax, enjoy and recharge. Finally, the US real estate platform Zillow introduced core collaborative hours, limiting internal group meetings to four-hour blocks of the day to ensure employees across the different time zones were not burdened by zoom and team sessions from early morning Eastern through to late evening Pacific time.
Since there is no clear profile of a ‘rogue’ employee it is imperative for companies to be vigilant and to utilise the tools which are available to them and if such activity is identified to act swiftly to contain the breach in order to keep costs and reputational damage to a minimum.
Contact
Dr Dexter Morse
Global Head of Insurance & Risk
Arxada
www.arxada.com