Updated: Feb 9, 2022
Insider threats are as old as history.
Take the Battle of Thermopylae for example. This famous stalemate raged for two days despite the Persian’s 50 to 1 advantage against the Spartan defenders. Between the narrow, rugged terrain and Spartan ferocity, the Persians couldn’t break through and the Greeks prevailed.
That was until a local Greek named Ephialtes provided the Persians intelligence of a pass they could use to outflank and defeat the Spartans. This critical information only an insider could know tipped the scales in the Persians favor and hastened the Spartan’s defeat.
Might the Spartans have held the pass for a few more days? Who knows. But the fact remains: the Spartans handily dispatched the Persian onslaught for two days despite being vastly outnumbered and under resourced. Only when a Greek insider betrayed his countrymen did the Persians find a quick path to victory on the third and final day of battle.
The Company Insider Threat
The insider threat is often the least considered—but arguably the most dangerous—type of cyber threat. The reason is obvious: insider threats have already largely evaded the exterior defense companies invest so much in. This fast-growing threat—increasing 47% since 2018—must be a key consideration when a company designs its network security strategy.
Cybersecurity researchers often group insider threats into categories:
Unintentionally negligent employees or contractors
Credential thefts leading to unauthorized access to applications and systems
Malicious insiders who intentionally damage the organization from within
Interestingly, malicious insiders only make up 14% of all insider threat incidents. The remaining 86% result largely from careless behavior--a fact that should worry any executive that manages a large workforce with access to sensitive information.
A Timely Reminder
The news these past few weeks have produced timely reminders that the insider threat is as serious as ever.
First, news broke that the FBI arrested a Russian citizen who offered a Tesla employee $1 million to install ransomware on Tesla’s servers. Luckily for Elon, this employee had the integrity and personal fortitude to pass up the bribe and instead notify the company and FBI. This very easily could have turned out very differently.
We also learned through a recent plea deal that a former Cisco engineer deleted 16,000 WebEx Team accounts along with 456 virtual machines five months AFTER he left the company. This disgruntled former employee cost Cisco in excess of $2.4M to repair the damage, not to mention the resulting poor publicity and impact to operations.
These two incidents might be top of mind because of the recent news, but the fact remains that insider threats have been a key driver of some of the most significant compromises in recent years. In fact, the Ponemon Institute estimates that over one-third of US companies will face some type of insider threat incident within the next year. And with the costs to combat insider threats continuing to rise—up 31% since 2018 to an average of $11.5M annually—companies need to elevate the priority of defending against this threat.
A QUICK GLANCE: TESLA & THE DISGRUNTLED EMPLOYEE
Although Tesla dodged a bullet with the recent insider attempt, they were not quite as lucky in 2018. In the summer that year, Elon Musk notified his staff that a "Tesla employee had conducted quite extensive and damaging sabotage to our operations."
In fact, that employee managed to create false usernames in order to make direct code changes to the Tesla Manufacturing Operating System. Additionally, the malicious insider managed to export large amounts of highly sensitive data to unknown third-parties, which included financials and the process for manufacturing batteries for Tesla's Model 3 vehicle.
Even more concerning, the former employee installed software on coworker's computers so that the data would be exported even after he left the company. According to a lawsuit filed earlier this year, the former employee was with Tesla for eight months before being assigned to a new role. Tesla believes the theft of the data came as retaliation because the former employee was upset with this reassignment.
Given how tightly Tesla guards its trade secrets, we might never know the extent of the damage this insider attack caused. But we do know that the threat from insiders can affect even the most well-funded and recognizable companies in the world—a fact that companies should consider when architecting their cyber defense strategy.
What to do?
If you feel a little unsure about your company's insider threat program, you are not alone. Unfortunately, this is one area of cyber defense strategy that many companies under resource or neglect entirely.
The good news is building a scalable insider threat program is not out of reach. For our part, Pathfynder experts have successfully architected insider threat programs companies of all sizes, including a Fortune 50. We have a proven solution to grow insider threat programs based on different company needs and situations.
Our approach is tech-driven, replacing highly manual processes with proprietary machine learning algorithms and automated playbooks. Over time, this approach dramatically reduces labor hours and increases the program’s effectiveness.
As an example, at the recent engagement with the Fortune 50 company, we increased insider threat investigation cycle output by 400%—reducing to minutes what used to take analysts hours or days to complete.
The threat from insiders isn’t going away anytime soon. Like the Greek traitor Ephialtes, someone inside your company—by negligence or malice—will expose critical assets one day.
And when that happens, what will you do about it?
If you have any questions about Pathfynder’s insider threat solution, let us know.