Insider threats: How turncloaks and pawns can bring your business down

Article | October 2020

The biggest risk to your business comes from external threat actors, right? Those hackers squirreled away in their bedrooms or underground bunkers, surrounded by blinking servers and large screens with scrolling code? Wrong. As much as popular culture likes to push the image of the lone-wolf coder skillfully hacking into your company’s systems, the fact is that many cybercriminals have help from the inside. We call those employees who facilitate cyberattacks “insider threats” and they represent an ever-growing problem for organizations. In fact, according to the Verizon 2020 Data Breach Investigation Report, almost a third of attacks in 2019 involved internal actors. 

Types of insider threat

Insider threats can be roughly divided into two main groups: the “turncloaks” and the “pawns”. As the name suggests, turncloaks are those prepared to turn on their employers for various reasons, though financial gain is the most common motive. While it is tempting to label all turncloaks as malicious insiders, some are driven to cybercrime by a sense of civic duty (e.g. whistleblowers) or due to economic difficulties. According to Michael Hamilton, former CISO for the City of Seattle, the recession caused by the coronavirus pandemic has resulted in more employees being willing to disclose confidential information in return for cash. 

Pawns constitute the other main group of insider threats. Although they assist with the attack, they are unwilling participants i.e. they are consciously or unconsciously manipulated by hackers to breach company security. This manipulation can take many forms; from persuading an employee to execute malicious code on their computer to blackmailing them into divulging sensitive data. Though pawns may seem significantly more innocuous than turncloaks; in reality, they constitute a much greater threat. After all, it is much easier to identify an employee acting suspiciously than one who lacks significant knowledge or awareness to avoid social engineering attacks launched by external threat actors. 

Famous real-word examples

Insider threats are not just a vague, formless risk to your business — every day turncloaks and pawns facilitate or carry out cyberattacks that cost organizations dearly. This summer, social media platform Twitter suffered one of its worst ever data breaches when a hacker took over hundreds of accounts and posted fraudulent requests for Bitcoin transfers. Though it is not yet known whether an employee carried out the entire attack single-handedly or leaked information to an external actor, it is clear malicious insiders played a key role in the breach.

Twitter is not the only multinational in recent years to fall victim to a cyberattack executed by its own employees. In 2016, a Google employee downloaded 14,000 confidential files to personal devices before leaving the company. He then used this information to launch his own startup which was quickly acquired by Uber. And in 2018, a “disgruntled” Tesla employee allegedly disrupted operations at one of the company’s electric car plants and transferred sensitive information to unknown third parties. If tech companies are not immune to insider attacks, no organization is.

Identifying malicious insiders

Although it is impossible to detect every internal threat actor, there are some warning signs you can look out for. However, it is important not to jump to any conclusions or worse still, to create a culture of denunciation in the office. Think it’s strange that Rose from Accounts is always working late? It’s much more likely that the manager has piled on the pressure than that she’s siphoning off financial data to pass on to company rivals.

Nevertheless, odd behavioral traits such as a tendency to stay in the office out of hours, complain about coworkers, or violate company policy could offer evidence that all is not well. An employee’s digital conduct can also hint at an insider threat on the horizon. For example, a worker who frequently accesses and/or downloads large amounts of sensitive data, requests user privileges for information outside their job function or crawls organization networks for data should probably be treated with suspicion. Similarly, employees who take home confidential company documents, use unauthorized storage devices or unnecessarily copy proprietary information could constitute a threat to your business.

Seeing as a false accusation of turncloaking could cause significant emotional distress and even legal issues; the best way to address insider threats is by preventing them from materializing in the first place.

Guarding against insider threats

Protecting your organization from internal threat actors starts with establishing security protocols. Decide who should have access to what data and put in place in a strict access privilege policy to ensure sensitive information is protected. Ensure all employees are familiar with data security rules and make it clear what the consequences of breaching these regulations are — this can prove an effective deterrent to would-be turncloaks. You can also use cybersecurity tools and software to monitor data access and use so that you are immediately alerted to any suspicious behavior. Ensuring employees do not take any sensitive information or proprietary software/hardware with them when they leave is an important measure as well.

Finally, it is vital to create a culture of cyber-awareness within your organization. Employees who have the requisite knowledge and experience to identify threats as much less likely to become pawns in a cyberattack. Train and educate your staff and equip them with the tools to keep your business safe. Then you can focus your efforts on guarding against the whole host of other cyberthreats lurking on the horizon…