In the last year, several major developments in international affairs have taken center stage: the rapid and chaotic withdrawal of U.S. troops from Afghanistan, the invasion of Ukraine by Russia, and continuously rising tensions in the Indo-Pacific region, including the South China Sea and escalatory actions by North Korea. The increasing destabilization of the geopolitical ecosystem elevates concerns of potential threats to businesses and critical infrastructure in the United States.
Fortifying an organization’s cybersecurity to guard against attacks from external malicious actors continues to be an essential focal point for businesses that operate in and with the U.S. Frequently overlooked as a main target of cyber attacks, though, are the employees who, whether willingly or not, have themselves become key risk vectors. These employees are often targeted by attackers based on their role in the organization and their real or perceived ability to access sensitive or valuable data.
There has been a marked rise in traditional nation-state spying. Russia has proven to be especially aggressive, recruiting a number of non-Russian nationals to spy on their behalf. Russian espionage and cyber warfare efforts have increased dramatically in the past decade.
This rise in both frequency and sophistication of nation-state spying is certainly cause for alarm. Mitigating risks can be challenging when any employee with knowledge of breach points or access to privileged information can be construed as a potential threat. Just last summer, a security guard at the British embassy in Berlin was detained by German police and accused of collecting sensitive information for more than a year with the intent to share it with Russian authorities.
Moreover, insider recruitment is not limited to state actors. Earlier this year, the LAPSUS$ ransomware group was recruiting insiders willing to sell remote access to major technology corporations and ISPs that would enable downstream access to “crown jewels” such as source code.
The troubling reality is that even valued and proven employees who have been thoroughly and properly vetted could one day decide to trade their profession and integrity for profit. Once that line is crossed, the threat grows exponentially. In addition to having access to sensitive information that can be traded or sold, these insiders may also be uniquely aware of the company’s security measures, and thus may be able to circumvent them in ways that are harder to detect.
In February of this year, a U.S. Navy nuclear engineer pled guilty to attempts to sell classified submarine information to a foreign country. In his law enforcement interview, he said he evaded detection for so long because he had been specifically trained to identify the warning signs of a malevolent insider threat and knew how to avoid arousing suspicion.
The rules of engagement have changed. Foreign adversaries no longer simply target American governmental institutions, as was the case during the Cold War. Today, they use their increasingly sophisticated intelligence capabilities against a much broader set of targets, including critical infrastructure and other private sector and academic entities. Given the fact that so much of U.S. advanced technology is developed outside of government and in the private sector, bad actors will often try to zero in on vulnerable employees who can be leveraged for information or access.
Implementing a company-wide continuous evaluation system can provide an organization with the highest-levels of defense against exploitation of employees by bad actors. With an appropriate level of awareness, management can remain alert to anomalous behavior or other signs that an employee is experiencing financial or personal stress. These risk factors, among others, may depict whether an employee is susceptible to manipulation or bribery by criminals seeking to steal, harm, or defraud their company. Conversely, signs of new wealth may indicate that an employee has already crossed the line and is reaping the financial benefits.
It is vital for organizations to frequently examine and address their entire risk surface. Dangerous threats can be external and internal. Whether they are a nation-state, criminal, or terrorist organization or simply an unscrupulous competitor, adversaries are actively seeking to find and exploit insiders for their own gains. Detecting unusual or inconsistent behavior early allows management to intervene and preempt any criminal activity, preserving the security and integrity of the employee as well as the company.
Inside attacks can happen. Malice does not always have to be the reason for a cyberattack. A threat actor can target an otherwise loyal employee based on his role or access level and coerce him into breaching the company’s security on behalf of an external third party.