Who's watching your network? PHOTO: Cybercrime Magazine.

Cyber Attacks By Insiders Result In Devastating Costs To Organizations Globally

Employees and contractors are likely to be repeat offenders

Steve Morgan, Editor-in-Chief

Northport, N.Y. – June 11, 2018

Who’s watching your network? You’ll probably respond with the names of people, products, and services that defend your organization from external cyber threats of all sorts – ransomware, DDoS attacks, and a slew of others. But who’s watching the employees and contractors that are already inside your network?

Ekran System, a cybersecurity company out of Herndon, Va., is focused on insider security solutions. We recently caught up with their CEO, Dennis Turpitka, to get the inside scoop on insider threats.

Is the insider threat the greatest cyber threat to organizations globally?

I would say it should certainly be considered a top 3 threat for any organization. While insider attacks are not currently as numerous as external ones (only one in five attacks in 2017 was committed by an insider, according to the 2017 U.S. State of Cybercrime Highlights by CERT), they remain highly devastating (the average cost of such attacks reaches $8.7 million according to the 2018 Cost of Insider Threats: Global Organizations report by the Ponemon Institute) and extremely complicated when it comes to detection and investigation. Multiplying probability by the potential loss, we determine it to be a very high to critical risk level.

Are insiders just employees, or can they be contractors, freelancers, suppliers and others with access to organizational information and login credentials to internal systems?

We consider any user that has authorized access inside the protected security domain perimeter as an insider. These can be employees, contractors, outsourcers, consultants, auditors – any entity or individual who has been provided credentialed access to your sensitive data and trusted by your guard towers is a potential threat. In these terms, (successfully) compromised accounts can be also considered as insiders.

Without naming names, can you tell us about a real-world hack or data breach committed by an insider, and the damages that it caused to the victim (organization that was breached)?

So many stories to choose from, starting with world-famous Edward Snowden to a small kindergarten in Germany concerned about an IT outsourcer administrator accessing children data.

Talking about big names, I really found the AT&T case to be quite alarming. In 2013-2014, employees in several of their offshore call centers were accessing personal data of about 280,000 customer accounts without authorization and passed them onto third parties, who used it for unlocking stolen and resold phones. The Federal Communications Commission (FCC) obligated AT&T to pay a $25 million civil penalty.

Another popular topic is industrial espionage. Famous cases include the 2011 AMSC-Sinovel story with a head-hunted employee of AMSC, a clean-energy software company, leaving with the software code (he downloaded it before leaving to a remote computer). Sinovel, his new employer, obtained the technology from him without the need to pay the $800 million acquisition price. AMSC lost about $1.4 billion in market value. Another story with a similar plot was widely discussed in light of Google’s Waymo suing Uber for stealing self-driving technology, after a former employee allegedly downloaded thousands of files before leaving the Google company.

Why are so many cybersecurity solutions (both products and services) geared to outside threats, with the insider threat being what it is?

I think that there are several reasons behind it. First of all, while there is a growing and potentially unknown number of external threats with new types appearing each year, businesses typically have a limited number of known insiders (or at least they think so). However, for larger corporations who may have thousands of employees, massive supply chains, auditors, etc., with privileged access there is an exponential level of threat risk.

Second, businesses are often reluctant to proactively search for such solutions until they experience the first real breach from the inside. Insider threat programs typically involve overlap of responsibilities of several departments, including IT, security, compliance, and HR, who all have to work together. With multiple stakeholders across multiple departments, it’s not as easy to get the buy in to a preventative solution until it’s too late.

In your opinion, are the insiders that commit cybercrimes likely to be repeat offenders?

Definitely. One of the reasons why insider threats are so hard to detect is that insiders usually have the ability to cover their tracks. After one successful uncovered attack, an insider can even consider such activity to be a part of the “normal” opportunities he or she has at work. 

Inadvertent insiders can also be a constant risk source while their risky activity patterns are not detected and properly addressed. Security Awareness, while helping to educate the uninformed, does not address the inadvertent threat.

One popular cybersecurity metric is ‘dwell time’ – the duration a cybercriminal has undetected access in a network until they are completely removed. The average dwell time ranges from 49 days to 150 days, according to various sources.

If you consider that employees and contractors are permanent residents inside your network, then you had better be watching them!

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Ekran System was established in 2013 by a group of experienced digital security specialists. In late 2013 the first official market version of Ekran Systems was released. The company, backed by Commonwealth of Virginia (CIT funding via MACH37 accelerator) and private investors, focuses on the development of insider security solutions and delivering them to customers worldwide via its global partner network.