As part of the Harrison Clark Rickerbys recent Cyber Conference, we presented a roundtable discussion, “The threat from within – insider threats and commercial espionage,” alongside HCR Partner Robert Capper. Drawing upon our collective experience across cybersecurity, digital forensics, information governance and data privacy, we covered a breadth of considerations relating to insider threats, including why employees steal data, what’s causing the increase in internal threats, how to prevent insider breaches, tips for investigating such matters and data privacy implications to address.
Organizations today overwhelmingly understand that cyber attacks can have a devastating impact on a company. In FTI Consulting’s recent Resilience Barometer, 74% of respondents across the G20 said that cybersecurity has risen up their board’s agenda. This growing emphasis on cybersecurity and data privacy is important progress in the ongoing fight against cyber criminals. Yet, many business leaders do not understand the extent of their insider threat landscape, or that cyber incidents caused by trusted employees can cause even more reputational, financial and internal damage than a breach caused by outsiders. More, without targeted prevention and controls, a well-placed insider can operate for years without detection and can undermine even the most sophisticated and secure corporate environments.
We discussed one matter during the session in which our team was engaged by a global business in relation to a Foreign Corrupt Practices Act investigation. One of the company’s key employees was suspected of deleting large volumes of company email data in breach of a hold order, with potential criminal liability implications. We examined data from a range of email systems and devices to determine the scope and scale of the deletions, analyzed other data records to determine whether the activity was intentional and with counsel reported our findings to the SEC and DOJ. In this type of situation, the consequences for both the individual concerned and the company can be serious, including criminal prosecution for the individual and large fines and other subsequent regulatory consequences for failure to detect and prevent spoliation and loss of critical information.
In another matter where our team was engaged, an online retail company discovered an instance of malicious code that was hidden in the client’s systems and designed to disrupt and break down its retail site during prime business hours. The company spent significant resources rebuilding its website and investigating what happened. It was ultimately discovered that the origination of the code could be traced to the outgoing CTO, who had been believed to be leaving the company amicably and was serving as a consultant for the new CTO’s onboarding. When he was approached, he revealed that he couldn’t remember whether he had done it or not. Eventually, he shared that he had been under the influence of substances while working prior to his departure and that this was something he had done at other former employers in the past. He agreed that he was probably the culprit.
As these examples demonstrate, insider actors may have malicious intent or no meaningful motivation at all. In any case, they are unpredictable, and therefore difficult to mitigate. Thus, a key theme throughout the discussion was the importance of being proactive, across people, process and technology, in terms of reducing insider threats and responding when an incident occurs. Below are the key takeaways discussed on our panel.
For a long time, cybersecurity professionals took a ‘fortress’ approach to their defenses, focusing on building a strong perimeter around their organization. But with the great migration to remote work, that changed almost overnight. The perimeter approach no longer accounts for employees dispersed across hundreds or thousands of network connections and personal devices, making employee education, access controls and governance more imperative to overall security.
Further, instances of employee fraud, cyber attacks, data breaches and exploitation of employee data are becoming larger, more severe and more frequent. For example, from the beginning of 2020 to the third quarter of 2021, ransomware attacks increased by 151%. And the Resilience Barometer mentioned earlier found that 81% of business leaders agree a growing number of criminals are exploiting financial systems.
We group insider actors into three categories: rogues, who intentionally misuse their access to steal data; klutzes, contribute to or cause a data leak by accident; and pawns, who have no malicious intent but are manipulated by another internal or external party.
Rogues are motivated by numerous factors, or as in the example of the rogue CTO, they may have no rational explanation for their actions. However, for many, it’s for financial gain, either to sell IP or other sensitive data or use it for their own ventures. In other cases, employees go rogue if they are disgruntled about something or leaving their employer on bad terms.
Conversely, a klutz simply may not know they are doing anything wrong. We’ve encountered numerous cases in which a departing employee transfers files from their work computer to a USB drive before leaving. Often times, the employee isn’t trying to take company data, only the personal files they stored on their work computer. Nevertheless, however innocent these situations, the perimeter around company data is undermined and risk is increased.
Phishing is likely the largest concern when considering the pawns (as well as klutzes) categories of insiders. They may be tricked into clicking on an email that allows malware or ransomware to enter the network, or they may be targeted with spear phishing or business email compromise tactics that coerce them to share sensitive documents or take some other exploitative action.
We supported an Australian government agency in an investigation into a business email compromise attack that took place early in the pandemic while employees were isolated at home. A cyber criminal had found entry into the organization’s email system and spent a significant amount of time orchestrating a convincing impersonation campaign for one of the agency’s finance managers to redirect payments. At the time, the finance team was dealing with adjusting to new systems for remote work and because they were working from home, they couldn’t easily ask each other about the reasons for the payment changes being requested in email. Eventually their suspicions were raised, and we were engaged to help remediate the issue. The case is a prime example of how fraudsters are taking advantage of our current environment to steal money and information.
IG and cybersecurity have become inextricably connected, and strong governance can go a long way in reducing the risk of insider attacks. Data minimization—identifying and disposing of unnecessary, legacy and redundant data—is a fundamental IG best practice. In and of itself it functions as a security measure because an organization can’t lose what it doesn’t have.
Similarly, it’s impossible for an organization to protect what it doesn’t know it has. So, data mapping to identify where sensitive information is stored is critical. With that insight, the most sensitive information can be prioritized for extra protections and data loss prevention controls can be configured specifically to instances of IP, trade secrets, personal information, etc.
While employees may be a source of risk, they are also the first line of defense in protecting the company against outsiders and fellow insiders. This is why creating a culture of compliance, through incentives and enforcement, is critical. In addition to providing employees with a cultural basis for protecting company data, they need regular, engaging training and education to understand the landscape of threats and their individual role in preventing a loss of sensitive data. More so, remember that most employees are not a threat and should be treated with trust and respect. Addressing morale and being transparent about policy and technology decisions that impact employees day-to-day can go a long way in reducing the risk of an inside job.
When employees value and understand the importance of protecting data, and have been provided with clear communication about the penalties they and the company may face for noncompliance, this essential first line of defense becomes stronger. And when Legal, compliance, governance and security teams recognize how moments of change and challenge can heighten employee sensitivity to internal and external motivations to exploit company information, their ability to enforce policy and detect concerning patterns likewise become stronger. It is this combined strategy across people, process and technology that will provide a resilient posture against all types of insider threats.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
Managing Director and head of U.K. Cybersecurity, FTI Consulting
Managing Director and head of U.K. Digital Forensics & Investigations, FTI Consulting
Tim De Sousa
Senior Director, FTI Consulting
Senior Director, FTI Consulting