Guarding Against the Insider Threat: Do Your Employees Pose the Greatest Risk?

By Moty Kanias, VP of Cyber Strategy & Alliances, NanoLock Security

Great businesses understand that their people are their most important assets.  But there is another side to that coin.  Employees and contractors may also threaten your company by virtue of their access and expertise.  Most experts consider three categories of insider threats: preventable mistakes due to simple human error, stolen credentials, and criminal or malicious actors. Issues from the first two categories are much more frequent than those from the third category, but all insider attacks are on the rise.

The 2021 incident in Oldsmar, Florida is evidence of the impact of human error — what was initially thought of as a malicious remote access incident turned out to be an in-house employee accidentally having clicked the wrong buttons.

The 2023 charge against the attack on Discovery Bay Water Treatment facility in Tracy, California, on the other hand, shows us how well-meaning employees or contractors can turn against their employers, instigate attacks, and potentially cause significant damage.

The above examples hint at a much larger problem. In fact, according to the Ponemon Institute, every single company that they surveyed had an insider incident last year.

Companies need to assess if they have given their people too many permissions and not enough safeguards when it comes to cybersecurity policy. This is especially true for industrial and critical infrastructure targets, as well as utilities and energy infrastructures, which have vast networks of connected devices, both new and legacy, and numerous personnel to manage them who need credentials. Here, we’ll answer a few questions about how insider attacks threaten our infrastructures.

What makes insiders so dangerous to industrial and manufacturing targets?

All it takes is a single unsecured device or a single worker to make an error or be manipulated. Insider attackers often already know where valuable information is kept, understand how it can be used, and know what’s normal (or not normal) to do so that alarms aren’t triggered. They also have legitimate credentials, which means they may not need to do much “attacking” at all. This makes them difficult to detect until it is too late, at which point many industrial and manufacturing targets are tempted to concede to certain demands in order to keep operations moving. Stopping operations is a last resort, both because of the financial and reputational ramifications. Insiders understand this and exploit it for leverage.

With the new and increasing abilities of AI in fields of massive content production including text and deep fake voice clones, human manipulation is becoming significantly harder to identify, thereby raising the risks of cyber events to a new level.

Why haven’t we heard more about insider attacks? 

Though recent research and reporting have shed a light on the rising tide of insider attacks, we historically have not heard much about these sorts of incidents. This is because for the companies who are victimized, these incidents can represent “dirty laundry” that they’d rather not air to the public. There’s also often a threat, implicit or implied, that the hack will get worse if authorities are involved,  impacting negotiations and decisions on whether to pay a ransom or not and potentially requiring disclosure of sensitive information to the authorities.

Insider attacks can also be easier for people to tune out because these incidents frequently stem from mundane mistakes. Simple human error is a huge source of insider attacks, but news and entertainment typically prefer to show a master hacker in a remote van rather than a technician simply forgetting to log out.

For a high-profile example of an insider manipulation attack using a compromised credential, look no further than the Colonial Pipeline incident. In response to a ransomware attack sourced from an insider breach of their IT network, they shut down operations for their entire pipeline system.

How can we improve reporting? 

Organizations are often lax with their implicit trust of employees and partners, as well as the fact that they will be reluctant to report incidents when they occur. A lack of transparency from targets of insider attacks advantages attackers in a number of ways. Firstly, they are more likely to receive (and retain) any sort of ransom payment if authorities are never involved. Secondly, unreported and unpatched vulnerabilities offer an opportunity for hackers to expand their operations under the radar. Only the introduction and enforcement of comprehensive regulations that mandate cyber incident reporting will force organizations to adopt true transparency when they are attacked. In some regions, such as the EU,  the NIS2 directive mandates cyber incident reporting, while in other regions it has not yet become mandatory.

What other strategies can we adopt then?

Rather than attempting to patch our way to perfect protection, we can accept that human error will always be a factor and shift focus from access interception to outcome prevention. Assume that breaches will happen. Then what? If we can find a way to better define the level of privileges of our workers, and educate them about the threats, intruders will have a much harder task. Their access becomes much less threatening. A hacker with access but no abilities is a lot less problematic and a lot more fixable than the alternative, especially when they are an insider with privileged knowledge. Zero Trust is the key to defeating insider attacks because it’s not insiders that are the problem – it’s insider privilege. Manage and monitor that privilege and you can eliminate the attack vector.

About the Author

Moty Kanias, Vice President of Cyber Strategy and Alliances for NanoLock, is a veteran of the Israeli security forces (Col. res) with vast experience in cyber security, counter-intelligence and insiders threats. In his previous position, Moty served as a senior executive in the Israeli Prime Minister’s office, managing research of new civil defense & aerospace technologies. Previously, Moty served as the head of counter-intelligence and cyber threats research branch in the IDF and his work was awarded several certificates of excellence.

Moty also served as a division manager in the ministry of Defense Security Authority (D.S.D.E – Directorate of Security of the Defense Establishment), leading a counter-intelligence task force that researched cyber technologies and human vulnerabilities, such as insiders. Moty holds a BA in history and Jewish philosophy from Tel Aviv University.

Moty can be reached online at ([email protected]) and more information can be found on the company website https://www.nanolocksecurity.com/