Security threats from within an organisation (i.e. insiders) are generally recognised as being the hardest to protect against. That is because employees and other authorised individuals legitimately need access to their organisation's network, applications or databases for their particular roles. Where employees have privileged access to systems, such as IT staff with ‘admin’ rights, the risk can be even greater because they will not be subject to the same controls as ordinary users.
Preventing legitimate and authorised users going rogue is an ongoing challenge for employers. A recent sentencing at Reading Crown Court is a cautionary tale involving an IT security analyst who piggybacked off a ransomware attack in order to try to extort his employer. While the organisation’s efforts were focused on external attackers, the threat posed by this trusted insider could easily have been overlooked.
Kicking the employer while its systems are down
In 2018 a publicly listed gene and cell therapy company based in Oxfordshire suffered a ransomware attack. Having accessed company systems, the attacker sent an email to senior members of the company reportedly demanding a six-figure ransom payment.
One of the company's IT security analysts, together with other colleagues, worked with the police to investigate the incident. The analyst, however, had an ulterior motive: he seized the opportunity and used that information to try to divert any eventual ransom payment to himself instead of to the original attacker.
The IT analyst did this by accessing senior board members' emails and setting up an email address that looked almost identical to the attacker's original email address. Using that email address, he then pressurised the business into making the payment and provided his own payment details instead. This is a take on business email compromise, a scam where a criminal sends an email message that appears to come from a known source making a legitimate transfer of funds request.
Ultimately, the company refused to make the ransom payment. The IT analyst's unauthorised access to emails was discovered and traced back to his home address where various devices were seized. Although he had attempted to wipe his devices days before his arrest, the information was recovered. Five years later, the case went to trial and the IT analyst pleaded guilty to blackmail and unauthorised access to a computer with intent to commit other offences. He has been jailed for three years and seven months.
The stark reality of insider threats
Incidents related to insider threats are remarkably commonplace. A 2022 global report by the Ponemon Institute showed that 67% of companies experienced more than 21 insider-related incidents per year. That report also showed that the negligent insider is the root cause of most incidents (56% of those it assessed). However, criminal or malicious insider-related activity still makes up a significant proportion of incidents (26%).
Where insiders act with malicious intent, incidents will often involve theft of business-critical or sensitive data such as intellectual property, trade secrets, customer or employee personal data, as well as fraud or extortion. Other threat types include espionage, harassment, and sabotage.
Insiders and ransomware
It is not unusual for the terms ‘insider’ and ‘ransomware’ to be mentioned in the same sentence, as is the case here. It is, however, usually a question of collaboration between the insiders and ransomware gangs rather than competition. Indeed, employers have long been concerned about disgruntled employees being the chink in the armour, offering cyber criminals access to their networks or data via darknet forums.
Ransomware gangs have, however, gone one stage further in their collaboration efforts with insiders. Rather than just buying illicit access to employer networks, they have been known to engage in email campaigns directed at employees offering them a percentage of the ransom. All the employee has to do is to launch the malware in their employer’s IT network.
In a recent survey of 100 IT and security executives, over 65% of respondents said that they or their employees have been approached to assist in aiding ransomware attacks. Other brazen recruitment efforts include a ransom note left by a notorious ransomware group with this invitation: "Would you like to earn millions of dollars? Our company acquire [sic] access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company."
Mitigating the insider threat
Clearly there is a choice to make, and an unhappy employee might not need too much convincing. Research is reported to have shown that most insider threats come from employees who, until only 3-4 weeks previously, had been perfectly loyal and committed. This case is a salutary reminder that a trusted employee can turn into someone who is motivated to damage their employer. Financial gain has been shown to be most common primary motivation, with revenge being the least common. However, general disaffection with the employer is a contributory factor in many of the cases.
The case also relatively unusual because all three of the most common threats faced by organisations are featured in a single incident: insiders, ransomware, and business email compromise (‘BEC’). The reality is that whilst ransomware payments grab headlines, BEC represents by far the biggest financial loss tied to cybercrime. Insider threats are also often overlooked, with organisations instead spending thousands on external threats instead of on developing insider threat programmes.
Any such programme needs to be grounded in a strong security culture and managed holistically by a single accountable owner who seeks input from across the organisation to build a more complete picture of risk. To be effective, use of behavioural monitoring to help identify indicators of risk and respond to them needs to take place in that context. The monitoring must also comply with legal and regulatory requirements, especially when it comes to data protection and privacy laws where a data protection impact assessment will often be required. Simply investing in expensive technical tools without having the right people, policies, processes and structures in place is likely to provide only cosmetic assurance.
This risk-based, holistic approach is reflected in the following wise words on “the evil within” offered by Verizon: “So love your employees, bond at the company retreat, bring in bagels on Friday, but monitor the heck out of their authorized daily activity, especially ones with access to monetizable data (financial account information, personally identifiable information (PII), payment cards, medical records).”
Ransoms: should I pay?
As a post-script, it is worth noting that the attack in this case took place pre-GDPR, so its mandatory breach reporting provisions and fines for non-compliance were not in play. With that in mind, the decision not to pay the ransom was perhaps easier. After the GDPR went live in May 2018, there was certainly an increased tendency to pay. These days, however, the perceived benefits of paying a ransom are more limited. As the UK Information Commissioner's Office reminds us: "paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data", and that "[the ICO] will not take this into account as a mitigating factor when considering the type or scale of enforcement action."