External threat actors are only one among several threat sources that organizations must consider nowadays, as insider threats represented nearly one-third of all unauthorized access cyber incidents in Q3 of 2022, its highest quarterly level to date. Driven by significant shifts in employment in the wake of the COVID-19 pandemic and the transition to virtual, hybrid-remote work, the implications for the security of organization’s data, employees, and assets are more imminent than ever. Further, with insider threats rising 44% over the past two years the per-incident cost has been reported to average a whopping $15M. By generating such extreme security, reputational, financial, and operational risks, insider risks are now (justifiably) on the radar of every corporate security professional.
Increasingly, both malicious and negligent employees have become a serious and growing security risk to organizations.
What is behind the trend of external threat actors leveraging internal human vulnerabilities to compromise the security of organizations and their individuals, and how can these challenges be countered?
An insider threat is a security risk that comes from within your organization. Employees, or those who maintain privileged access to data, intellectual property (IP), or an organization's digital and physical infrastructure can potentially become an insider threat. Via access to your organization’s internal network, there are two principal ways in which insider risk may materialize:
Departing employees, employees that seek to evade established security protocols for convenience, malicious insiders, negligent personnel, inside agents, and third-party partners are all cases that present insider risk.
Notably, “insider” risks are not entirely internal in nature. More specifically, these potentialities are being actively exploited by external threat actors in various cases that fundamentally depend on and emerge from the internal “human factor”.
Employees of various sizes of organizations are being actively recruited from ransomware groups, (like Lapsus$) to access company data and systems with malicious intent. In July, American Airlines suffered a phishing attack exposing the data of more than 1,700 customers and employees. In September, a Lapsus$-affiliated threat actor gained access to Uber's source code, internal databases, communication channels, and other critical systems—virtually compromising the entire company. Hackers from the same group have also launched attacks on Nvidia, Samsung, and Microsoft—the latter of which experienced a social engineering breach in early 2022 involving insider threat exploitation. Incentivizing malicious insider activity has proved successful for Lapsus$ and other threat actor groups, who prey on insider vulnerabilities to gain access to internal networks. Often, by the time these infiltrations are detected, it is far too late, and an organization’s network can be infected and compromised, exposing the data of countless individuals, intellectual property, proprietary access to internal systems, and more.
Illustrating the reality of these risks, these screen captures of posts on deep and dark web forums, users can be seen seeking to purchase T-Mobile and Bank of America employee account details for sale on underground channels. These types of requests and transactions of sensitive data take place every day in dark web marketplaces and present an immediate risk to organizations of all sizes.
Each organization must prioritize this increasing risk and develop tailored systems and criteria to detect red flags to secure customers, employees, and the entire organization. In addition to employee education and thorough security and data management protocols, proactive intelligence for the identification of early risk indicators across the digital public sphere and the deep and dark web are critical.
To curb these growing threats, proactively preventing data exfiltration is paramount, as is maintaining an updated and complete view of employee-driven risks across the surface, social, and dark web. By leveraging the largest collection of curated breach data on the planet, Constella Intelligence anticipates insider threats through the early identification of the malign use of corporate credentials, supporting attribution of malicious or unauthorized activity to identify threat actors and proactively safeguard against insider risk.
Our Digital Risk protection service offers a comprehensive solution against cyber threats, covering the entire life cycle, from early detection to final resolution.
Article by: Jonathan Nelson. Director, Risk Intelligence at Constella Intelligence.
Constella Intelligence is a Telefónica Tech partner and a global leader in Digital Risk Protection that works in partnership with some of the world’s largest organizations to safeguard what matters most and defeat digital risk.