Super Malicious Insiders Responsible for a Third of All Insider Security Incidents
“The Super Malicious Insider is a technically proficient employee who is acutely aware of an organization’s cyber security architecture, solutions, and processes.”
While there’s an alarming rise in the number of insider risk incidents across industries, the 2022 Insider Risk Report from DTEX Systems has uncovered the threat posed by the Super Malicious Insider. This new malicious remote working employee persona was responsible for nearly a third of internal security hit jobs in 2021.
Insider risk has plagued organizations across all sectors, enabling data leaks, IP theft, and financial loss. But the extent to which employees can damage the security fabric of organizations has always been overlooked. At least, that’s what DTEX Systems discovered through the 2022 Insider Risk Report.
Amid the shift to remote and hybrid work, incidences of industrial espionage touched an all-time high in 2021. Organizational security is also becoming more vulnerable to risk as the remote worker frequently engages in psychosocial behavior, a human trait influenced by social factors on an individual’s mind and behavior.
In the case of teleworking employees, psychosocial characteristics are expressions of their psychological development influenced by their social, cultural, and transposed work environment. DTEX Systems assessed an escalation in human psychosocial behaviors had given rise to a new breed – the Super Malicious Insider.
A Super Malicious Insider is different from the everyday malicious employee, a negligent one or a compromised one. DTEX Systems defines the Super Malicious Insider as “a technically proficient employee who is acutely aware of an organization’s cyber security architecture, solutions, and processes and who understands both the technical and human analyst limitations in detecting insider threat indicators.”
Super Malicious Insiders are trained in cybersecurity, are familiar with data loss prevention, activity monitoring, manipulation through social engineering and more. They also understand the organization’s cyber security posture and technology stack. “Thus they are better equipped to behave normally within their environment because they recognize the specific configuration of their organization’s defenses,” the report said.
The difference between a malicious, a negligent, and a Super Malicious Insider is explained below:
Malicious, Negligent, and Super Malicious Insider | Source: DTEX Systems
“Risk does not imply malicious intent. That is reserved for insider threats – those employees, vendors or partners who plan and execute actions to steal or release data or sabotage corporate systems,” DTEX noted. “Not every insider risk becomes an insider threat; however, every insider threat started as an insider risk.”
Motivations can be financial, stealing for a future employer, revenge, or simply having a criminal mindset. They may also collaborate with external threat actors.
The report revealed that the Super Malicious Insider has already made a considerable dent in the security posture of organizations and is responsible for almost a third (32%) of malicious insider incidents. This is backed by the fact that remote workers committed 75% of insider threat criminal prosecutions.
Super Malicious Insiders are pretty smart and may use burner email accounts (43% increase), conceal identities through open-source intelligence (OSINT) techniques, and avoid detection by abstaining from using MITRE ATT&CK techniques (96%) such as initial access, privilege escalation, credential access, defense evasion, lateral movement, etc.
Compared to the activities of Super Malicious Insiders, bridling careless/negligent or malicious incidents seems like a walk in the park. Unfortunately, that’s also on the rise. In 2021, data loss incidents associated with users taking screenshots during confidential Zoom and Microsoft Teams meetings rose by 200% in 2021.
Remote work has also blurred the lines between corporate and personal devices, due to which employees are using corporate assets for non-work activities more than 300% in 2021 than in 2020. Employees usually perform personal activities on corporate devices, including accessing email, social media, online shopping, stock trading, and even surfing the dark web to purchase drugs.
Additionally, employees may also feel the need to settle personal scores with an organization that they believe didn’t grant a deserved promotion, a salary bump, or caused their health to deteriorate. These disgruntled workers may take customer lists, product plans, financial data, and other IPs, resulting in data loss. 56% of organizations suffered data loss due to theft.
Obviously, not all employees will have the drive, the access privilege or even the skills to steal company data. But if Super Malicious Insiders are any indication, things certainly aren’t looking up. Even Code42, a data loss prevention company, observed a 40% year-on-year rise in data exposure events in H1 2021. IP and other data theft contributed the highest at 42% of all the incidents.
Insider Threat Incidents | Source: DTEX Systems
Technology (33%), critical infrastructure(24%), and government (11%) were the three most impacted sectors from super malicious incidents in 2021.
Overall, DTEX Systems detected a 72% increase in actionable insider threat incidents in 2021 from 2020. “If any company thinks they don’t have an insider risk problem, they aren’t looking,” said Rajan Koo, the chief customer officer at DTEX Systems. “The addition of the super malicious persona in this year’s report provides a wake-up call that traditional cyber security tools, such as DLP, UBA, and UAM, are actively being avoided or circumvented by those with sufficient technical skill and malicious intent.”
Note: The 2022 Insider Threat Report is based on data from 4,500 insider incidents and hundreds of DTEX User Threat Assessments from DTEX customers and prospective customers globally. It includes data from organizations based in North America, Western Europe, Oceania, distributed across financial services, critical infrastructure, manufacturing, government, pharma & life science, technology, media, healthcare, and retail. The number of employees working in these organizations varies from a few hundred to over 50,000.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
More on Insider Risk, Insider Threats:
