Nick Tausek, the lead security automation architect at Swimlane, told Spiceworks, “The statistics vary, but all seem to agree that insider threats (both intentional and unintentional) have increased significantly in the past few years as mobile devices, working from home on personal devices, and the sophistication of phishing and other attacks increase.”

While employee discontent may lead thousands of employees to quit during the great resignation, the percentage of employees that can become disgruntled with their organization could be far higher if they are unceremoniously asked to leave.

Operational overreach during initial pandemic years, clubbed with recent macroeconomic woes, led 1,046 tech companies to lay off 161,061 employees in 2022, Layoffs.fyi data indicates. So far in 2023, 417 companies in the tech sector have handed pink slips to 119,034 employees.

DTEX Systems’ 2022 Insider Risk Report noted that 56% of organizations had an insider data theft incident resulting from employees leaving or joining other companies. So it isn’t hard to imagine that an employee who has been fired could resort to payback by taking some company data with them to leak, sell, or offer it to their new company for competitive advantage.

Often, employees privy to an organization’s data may exfiltrate it before resigning or before their employment at the organization is terminated. Case in point: Block’s (formerly Square) peer-to-peer payment (P2P) service Cash App suffered a leak of the data of 8 million users when an employee left the company.

Block didn’t say if the former employee was disgruntled with the company, but they certainly had the drive, the access, and the skills to depart with company data.

Who is an Insider? When Do They Become an Insider Threat?

Any person employed by a company or a person with access to relevant company information, such as a vendor, is an insider.

An insider can become an insider threat either intentionally or unintentionally. The unintentional insider becomes a threat, often because an external threat actor tricks them into clicking a malicious package or a phishing link.

The intentional insider threat becomes so if they believe the organization has wronged them. “In general, they are often highly passionate, highly motivated people, who started out loving the organization, but then either because of financial reasons or a perceived wrong, turned against the organization,” explained Roger Grimes, data-driven defense evangelist at KnowBe4, to Spiceworks.

Tausek told Spiceworks that it is difficult to predict when an insider becomes an intentional insider threat and laid out some associated red flags. Insider threat indicators include:

• Repeated vocal dissatisfaction with the organization or its policies
• Financial duress
• Unexplained sudden financial gain
• Beginning to work unusual hours
• Beginning to access work resources from unusual locations/systems
• Unexplained access to critical or restricted resources, especially if copying/duplicating data

Adding to Tausek’s point, Chris Clements, VP of solutions architecture at Cerberus Sentinel, told Spiceworks that “any employee whose morale is affected has the potential to become an insider threat.”

Clements suggested organizations see whether they fired any coworkers that were a friend of the potential insider threat. “It could be fear of a future layoff that could affect them that leads them to try to take as much sensitive information with them as possible. There’s also the incentive for financial gain by being recruited by ransomware gangs to give them initial access into the organization’s protected network in exchange for a cut of the extortion proceeds,” Clements added.

See More: Succeeding with Cybersecurity: Challenges and Opportunities for 2023

Can the Recent Layoffs Give Rise to Insider Threats?

“Yes, certainly a passionate employee who feels unfairly wronged or fired is more likely to become a threat after they are separated from an organization,” Grimes added. “But I’m sure the vast majority of separated employees don’t become threats to their employer even if they feel the separation of employment was unearned or wrong.”

Clements continued that the sheer number of employees being asked to leave can be a tad worrisome. “Scale is definitely a concern,” Clements said. “Normal employee offboarding processes that work well enough during normal employee churn can quickly become overwhelmed during a mass layoff.”

“This creates a dangerous situation where key items fall through the cracks, such as employee account credentials not being deactivated or company devices with sensitive information not being reclaimed.”

While the majority of those fired are unlikely to become insider threats, Tausek pointed out that layoffs of thousands will ring alarm bells among those staying with the company, “who will reasonably wonder about their job security,” Tausek said. “This provides motive to:

• Intentionally harming the organization as retaliation
• Collect documentation of activity the employee disagrees with for use as whistleblowing or mudslinging material
• Capture copies of projects, tools, and other intellectual property for use at future positions.”

What’s at Risk?

Well, it depends on the level of access the employee has. Additionally, the type of data that each organization collects and stores vary. Still, Clements highlighted that information that can cripple or severely damage an organization’s competitive advantage, including proprietary processes, source code, or other trade secrets, are more likely to be exfiltrated.

“Other targets could be sensitive if not secret info like workplace culture or salary information,” Clements added.

Additionally, critical assets, including file shares, cloud drives, and security infrastructure, could be threatened, according to Tausek.

It is important to understand that while exfiltration can cause reputational, technological, and financial losses to organizations in the long term, it can also be detrimental to short-term operational strategy, especially if it is encrypted using a ransomware strain. “I think the worst type is when the data is made unavailable (e.g., ransomware), and this makes the impacted organization unable to operate,” Grimes opined.

Grimes goes on to highlight the importance of protecting confidential customer data, which as the case of the 2015 Experian data breach indicates, can have long-lasting implications. “How many of us still think of our data being breached when Experian’s name is mentioned?” Grimes said.

“As a company, Experian’s revenue recovered quite fast and they spent hundreds of millions of dollars to better protect customer data, but reputational issues still linger. Is that causing them not to get the same level of revenue they would have otherwise gained in the same time period following the very public breach? We’ll never know.”

Insider Threats Can Collaborate With Ransomware Gangs

One would think former employees who were fired amid the ongoing tech layoffs no longer having access to organizational systems have no way of helping ransomware gangs in their pursuit of disruption to earn a buck or two. Think again.

“A disgruntled employee or former employee will likely possess operational and cultural knowledge that can be used to formulate a convincing phishing campaign or facilitate attacks on infrastructure,” Tausek explained.

Tausek gathered that the emergence of ransomware-as-a-service (RaaS) also allows insider threats with a bone to pick, to phish for targets using ransomware or other malicious payloads easily. A successful hunt can entail the split of ransomware proceeds between the ransomware gang and the disgruntled ex-employee who creates and propagates the campaign.

However, the threat doesn’t end there with former employees. Employees still on the payroll but concerned about their job security could be easy targets for ransomware gangs to manipulate into offering a way into the organizational networks.

“Some ransomware gangs routinely reach out to existing employees of organizations and offer bribes for them to place ransomware on their employer’s computers. This is a fairly common offer and one that is often made out on publicly accessible sites,” Grimes said. “I’m not sure how many employees have actually placed ransomware and received a payout, but I’m fairly certain it’s non-zero.”

See More: Staying Ahead of Cybersecurity Threats with a Risk-Based Approach

Insider Threat Protection

According to Clements, insider threats can be difficult to detect given the proponents, more often than not, exploit legitimate privileges and access that rogue employees routinely use.

“Consider that the overwhelming majority of cybersecurity breaches are only detected when an organization is contacted by third parties, usually security researchers or law enforcement, to inform them they have been breached or through an unmistakable event such as ransomware encrypting their data,” Clements noted.

However, insiders can face hurdles if they resort to malicious ways, including a lack of technical understanding of internal systems and the possibility of legal ramifications if caught.

“Cybercriminals are often professionals whose job is breaking into victim companies, and usually operate with impunity by being in jurisdictions outside the bounds of their victim’s countries.  Insider threats may start with the inherent advantage of legitimate access, but that advantage quickly disappears once professional cybercriminals gain a foothold,” Clements continued.

It is the company’s job to make an insider hit job as difficult as possible. Organizations can undertake certain operational and technical measures to neutralize insider threats.

Operational steps to thwart insider threats

Being dismissed from work can be a significant event, especially when undertaken as a cost-cutting measure due to external factors. So treating them as humanely as possible is the first thing to remember.

“In order to prevent disgruntlement from an operational or cultural perspective, employers can offer generous severance packages to laid off employees, especially including continuing their health insurance (in markets like the U.S. where health insurance is tied to employers) and other benefits to reduce the trauma of being laid off and also acknowledge and thank the employees for their service to the organization,” Tausek suggested.

However, it is equally crucial to have insider threat awareness and understand that employee discontent can also brew over time. This is why employers need to “work aggressively ahead of time making sure the employee is as happy and satisfied as they are while working at the organization. This includes making them feel valued, engaged, appropriately rewarded, and treated fairly (even when all that has been done but they don’t agree),” Grimes said.

Beyond that, companies can also do background checks on new employees to ensure they do not have a history of employment issues. Psychological quizzes are another way of determining if a new employee can become a future insider threat.

Once onboarded, managers should be well-versed in identifying employee grievances. “Managers should be trained to recognize the early signs of an employee feeling negative toward the organization and how to best respond to prevent those negative feelings turning into negative actions,” Grimes said.

“It usually doesn’t happen in a vacuum,” he continued. “Most insider threats actually verbalized to other employees and often management about their feelings of being wronged by the organization before they went rogue. Managers should be taught how to best prevent an employee from feeling wronged (and that includes making the employee feel valued, heard, and feeling fairly treated).”

“Train your managers to recognize the signs of an insider threat (detection) and how to prevent good employees from feeling wronged and increasing the chances that a good employee will turn into an insider threat. It usually doesn’t happen in a vacuum.”

Technical steps to thwart insider threats

Technology can go a long way in securing organizations from falling victim to insiders. An organization’s solution stack should consistently be implemented with the appropriate accesses to minimize unnecessary information sharing.

From a technical perspective, Tausek advised organizations to undertake the following steps to reduce the risk of employees stealing data or sensitive information:

• Principle of least privilege for access to sensitive information
• Strong critical asset knowledge and protection
• Good mobile device management, including the ability to remotely wipe or disable systems/partitions associated with the organization
• Locking down removable media and peripherals on devices
• Locking down personal cloud account access
• Strong monitoring of cloud bucket permissions and rights
• Enhanced monitoring of employees pre- and post-termination

Grimes cited the importance of not having shared credentials for multiple users. “It’s super important for all employees to have separate logon credentials (versus shared logon credentials) while employed so they can’t use someone else’s credentials to more easily avoid detection if they are doing something malicious. Employers should also ensure that all logon credentials are suspended for separated employees at the appropriate time,” he said.

Has your organization faced an insider threat? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!