Cybercriminals and their tricks aren’t the only threat to a company’s systems and data. As organizations work to fortify their defenses against a wide array of persistent and emerging cyber threats, they must pay attention to every threat vector, including the homegrown kind. The threat posed by employees, contractors, or partners with access to sensitive information is a multifaceted challenge that every company faces. Most insider threats come from well-meaning employees making mistakes or simple negligence. However, every company has to consider that, at some point, they may have to contend with a malicious insider. Exploring how an employee becomes a malicious insider and the way the motivations of malicious insiders have shifted in the last few years can help companies gain a deeper understanding of malicious insider threats.

How does an employee become a malicious insider?

No one ever wants to believe that someone on their team would ever do more harm than good. But unfortunately, it’s not uncommon for employees to go rogue. While not every malicious insider incident ends in a data breach, reviewing research into the causes of data breaches can offer insight into the problem. According to Verizon’s Data Breach Investigations Report 2023, there are three primary reasons an employee becomes a malicious insider.

• Money: About 89% of malicious insiders are motivated by money. Money-motivated employees may sell their credentials to an Initial Access Broker (IAB) or sell data on the dark web. This is a 19% increase in this category compared to 2022. The challenging global economy may be a contributing factor to that increase.
• Revenge: An estimated 13% of malicious insiders have revenge against their employer in mind when they act. Disgruntled employees might do destructive things, like deploy ransomware into their company’s systems. The damage can be catastrophic, especially if the vengeful employee has privileged access.
• Espionage: About 5% of malicious insiders are engaged in corporate espionage. They might disclose company secrets to a rival, provide cybercriminals insider knowledge about a company’s defenses, or steal intellectual property. However, there has been a 20% drop in this motivator since 2022.

Top concerns about malicious insiders and their actions

Ponemon Institute’s Cost of Insider Threats Global Report highlighted the moves that malicious insiders are most likely to make. Data theft tops the list, whether exfiltrated via email or downloaded. About 45% of employees download, save, or send work-related files before leaving. This happens most frequently in the tech, financial services, business consulting, and management sectors. Employees who have given notice that they’re going to a company are at significant risk for stealing data like intellectual property – 70% of insider intellectual property thefts occur within 90 days of an employee’s resignation.

How do malicious insiders make money?

Money will forever be the biggest motivator for any criminal, and a malicious insider is no exception. Here are some of the ways that employee bad actors can profit from a company’s misfortune:

• Misusing their credentials: A malicious actor might use their (or someone else’s) credentials to access sensitive information or give someone who shouldn’t have access to systems and data. In the Verizon Data Breach Investigation Report 2023, researchers determined that malicious insiders caused 406 data security incidents via privilege misuse, and 288 resulted in data disclosure.
• Selling their credentials: Money-motivated malicious insiders can make a tidy sum by selling them on the dark web. At the same time, an average legitimate corporate network credential costs between $2,000 and $4,000, so selling a privileged credential is much more lucrative. Desirable privileged credentials can go for upwards of $120,000.
• Peddling data on the dark web: Data is currency on the dark web. Personal data reigns as the hottest data type on the dark web, followed by medical data in second place. Employees can also profit from selling proprietary data like formulas, research (especially medical research), and corporate secrets. About 45% of employees download, save, or send work-related files before leaving.

Don’t ignore these warning signs of malicious activity

While every malicious insider has unique motivations, some actions or behaviors should be viewed as red flags since they often indicate the possibility of an employee carrying malicious intent. Employees recently laid off, demoted, or terminated are significant risks to a company’s security. Over 90% of adverse insider incidents are preceded by employee termination or layoff.

Suspicious behaviors like these are also red flags that can indicate a malicious insider:

1. Downloading or accessing large amounts of data.
2. Mishandling passwords.
3. Adding unauthorized privileges to their user account.
4. Sending proprietary information to their private email accounts.
5. Installing unauthorized software and applications.
6. They feel like they are under unnecessary stress and unappreciated.
7. Having severe financial problems.

Source: ID Agent