Published on August 8th, 2018 | by Kevin McTiernan
The Increased Insider Threat Risk in a Booming Economy
The US economy is booming and, if you have been watching, it has been reflected in the job market. Our usual exposure to the job market as it pertains to the economy is related to the unemployment rate. The July 2018 number was 3.9% – the lowest in 18 years. Another, less discussed measure is the “quits rate”, which is the rate of workers who voluntarily leave their job to find a new one. This past May, The Bureau of Labor Statistics reported that the quits-rate for the public sector increased from a seasonally adjusted rate of 2.5% in May of 2017 to 2.7% in May of 2018 and continued an upward trend from the low of 1.4% in September of 2009. The importance of this number is that it indicates that workers feel comfortable enough with the state of the job market that they are willing to quit their current jobs and take a leap on a new position. For businesses, the rosy job market compounds the challenges – filling open positions while trying to replace experienced employees. However, this shift can also represent a great risk to the future of their firm – the risk of Insider Threats.
There are many reasons why someone would move on from their job such as, new challenges, career growth, more money or maybe they are just seeking a change of scenery. They were good employees and you are sorry to see them leave. However, there are the few who are leaving and intend on cashing in on your proprietary information or worse, causing harm to your business on the way out. Yes, the numbers are few, but all it takes is one malicious insider to jeopardize your firm.
The FBI provides some of the reasons why someone becomes an Insider Threat in their brochure, those include: greed or financial need; anger or revenge; problems at work; ideology or identification; divided loyalty; adventure or seeking a thrill; vulnerability to blackmail; ego or self-image; ingratiation; compulsive and destructive behavior; and, family problems. The risks due to reasons such as ideology, ego, loyalty and vulnerability to blackmail are consistent regardless of the economy – an employee that would leak or steal primarily for that specific reason reason would do so regardless of job market. Financial gain, revenge and problems at work are enabled and accelerated by a booming economy – you need a new job if you’re going to torpedo your current employer. And, with the job options and global economy, there are abundant employment opportunities and competitors looking to fast track R&D with stolen information.
Just in recent weeks we have seen stories on employees leaving a job and becoming an Insider Threat.
Here are some examples:
Ex Apple employee charged with stealing self driving car secrets – A former Apple employee downloaded a plan for a circuit board used in a self-driving car and was arrested at the airport on his way to China. He was going to work for a Chinese self-driving startup and was reportedly planning to use the plans for a bounty or to shortcut design.
Elon Musk emails employees about ‘extensive and damaging sabotage’ by employee – Allegedly, a former Tesla employee, upset over not being promoted, “had conducted quite extensive and damaging sabotage to” Tesla’s operations… and exported “large amounts of highly sensitive Tesla data to unknown third parties”.
Engineer Found Guilty of Stealing Navy Secrets via Dropbox Account– An engineer who was working on Navy underwater drone and NOAA weather buoy technology as an employee of LBI, Inc., left for a similar position at CRA. Just prior to quitting his job at LBI, the employee was proven to have uploaded 5,000 work-related files to his personal Dropbox account (some were sent by email).
Ex-IBM Employee Guilty of Stealing Secrets For China – A developer pled guilty to stealing the trade secrets of IBM’s clustered file system while he was an employee. The employee stole the software to provide to an agency of the Chinese government. He also was caught in an FBI sting trying to sell source code.
Six Fitbit employees charged in Jawbone trade secrets case – Six current and former employees of Fitbit were charged with possessing trade secrets from rival, Jawbone. The employees had all previously worked for Jawbone.
And, just in the past two days, reports have come out about an employee of Cree Inc.(a market leading innovator in LED lighting), who reportedly took 32,000 files comprising “virtually all there is to know about something the company’s been working on for 30 years.” The value put on the intellectual property contained in those files has been placed at $100 Million. The theft was only discovered when a MicroSD card was found on the sidewalk on the Cree campus. It is unclear whether the employee transferred the information to a competitor.
The above examples represent a number of exposures to an organization and ways the exposure is discovered. In the case of the IBM and Apple employees, law enforcement was investigating and were able to intercede before any damage could be done. These cases are rare as they will typically involve foreign state actors and/or involve national-security technology or information. The Cree, Tesla, Jawbone and LBI examples represent the more common case where what the insider took is only known after the fact. In the case of Jawbone, they are out of business. And, it seemed that in Elon Musk’s letter, he was eluding to a SpaceX accident being related to the insider. In Cree’s case, the damage is not known yet.
Before discussing how to spot an insider, here’s a brief view of what an Insider Threat looks like. Again, referencing the FBI brochure, some of the warning signs are, taking sensitive information out of the workplace or unnecessarily copying information; unauthorized access to materials or interest in areas outside of their work responsibility – especially those of interest to foreign entities or competitors; remote access to systems while on vacation, sick leave or working at odd hours where supervision is low; communications with competitors; and, unauthorized searches or downloading confidential information. Some items from the FBI’s brochure require training of employees and managers to spot, but what of the others? One example, is tracking of off-hour activities. In Cisco’s 2018 Cybersecurity Reports, researchers profiled 150,000 users of cloud-service providers in 34 countries in the first half of 2017. The in-depth analysis of the transactions resulted in 0.5% of the transactions being flagged as suspicious. Of these suspicious transactions, 62% were in off-hours, 40% on weekends. How can you spot these behaviors quickly and react?
SS8 Insider Threat Detection (ITD)
Monitors every byte from every flow on your network at key aggregation points, providing visibility to all communications on your network. ITD detects suspicious behaviors, such as data hoarding or off-hour usage and malicious insiders moving around on or moving data off your network, all in real time. Every event is stored in our Security Analytics engine to provide years of hi-fidelity history and recursive analytics as new behaviors are found. Capture and forensics tools help your team investigate behaviors and secure evidence. The Intuitive search and visualizations provide your investigators with the insight to act. SS8’s nearly twenty-year legacy in the law enforcement and intelligence space is reflected in the optimized workflows and analytics in SS8 ITD.
Are you sure that none of your departing (or new) employees are a threat? If you don’t know, just contact SS8 Networks to gain visibility.
Kevin is responsible for leading the vision, design, and delivery of SS8’s government solutions, including the Xcipio compliance portfolio. His deep knowledge of the telecommunications and network security industries spans 20 years, with extensive experience in the areas of cyber security, network forensics, big data, fraud detection, and network monitoring.