Home-Grown Trouble: Five of the Biggest Insider Threats of 2023

1: The Pentagon leaker:

The US Department of Defense has a history of whistleblowing incidents that have seriously disrupted US military planning and intelligence gathering. But few have been as damaging as the classified Pentagon and CIA documents shared by a 21-year-old solider in the Massachusetts Air National Guard. Hundreds of documents reveal US spying operations against nominal allies and, perhaps most damaging, detailed assessments of Ukraine’s armed forces and operations. This was no act of whistleblowing but one of apparent arrogance and naivety by a young man looking for bragging rights over co-members of a Discord group.

“It’s about measuring behaviour,” ConnectWise CISO, Patrick Beggs, tells Assured Intelligence.

“If CISOs are not employing machine learning and behavioural analytics across their platforms and users, they are behind the game. Hyper-automation technology helps measure what’s normal behaviour for any machine or environment, human-operated or not.”

2: Microsoft’s AI researcher:

This recent tale of insider error is at the other end of the spectrum to the Pentagon leaks. The culprit: a Microsoft researcher who misconfigured access to a 38TB trove of AI information. It included personal employee data, passwords, secret keys for Microsoft services, and over 30,000 internal Microsoft Teams messages from 359 employees. Not only could the security snafu theoretically have provided threat actors access to the sensitive information, but they would also have had the rights to delete or overwrite these files.

Skillsoft CISO, Okey Obudulu, tells Assured Intelligence that machine learning can help identify anomalies, although the shift to remote work has added significant complexity to risk mitigation efforts.

“Whether it’s employees leaking data by leaving unprotected data wide open or colleagues discussing sensitive data on an unsecured app, identifying and differentiating between accidental, negligent, and malicious insider threats can be complex,” he adds.

3: Tesla whistleblowers:

Unlike the Pentagon leaker, the two former Tesla employees who leaked highly sensitive corporate information to a German newspaper earlier this year fit the whistleblower mould perfectly. Although the files reportedly contained personal information on around 76,000 current and former employees, including Elon Musk’s Social Security number, the paper wasn’t interested in those. The real reason for the leak was to reveal what they considered a serious corporate cover-up of safety issues with Tesla vehicles. The story – revealing internal reports of self-acceleration issues, braking problems and “phantom stops” – could have had a severe reputational impact on the EV giant.

“While whistleblowers are motivated by different things, be it money, emotions or geopolitics, they often show their behaviour early on. Security teams should put enhanced data loss prevention (DLP) controls on sensitive user groups,” argues ConnectWise’s Beggs.

4: NHS WhatsApp data sharers:

Shadow IT is a serious problem for many organisations – so much so that the National Cyber Security Centre (NCSC) recently published guidance on managing the threat. Whilst it appears pretty innocuous alongside some of the other cases on this list, using unsanctioned devices and services can severely impact compliance programmes and impair IT’s ability to monitor and secure data flows. That’s the decision data protection regulator the Information Commissioner’s Office (ICO) made after reprimanding NHS Lanarkshire staff for sharing patients’ personal and clinical information, including images on over 500 separate occasions.

Although the WhatsApp group was initially set up to help staff communicate during the early days of the pandemic, it wasn’t approved for sharing patient data. The trust was lucky to escape without a massive fine.

“Mitigating these risks requires proper monitoring and governance,” Skillsoft CISO, Okey Obudulu, tells Assured Intelligence.

“When it comes to shadow IT, CISOs should conduct a risk assessment and develop policies for employees around corporate use before making any app available to download. These policies must be clear and prescriptive, supplemented with training that ensures every employee understands best practices.”

5: The worst-case scenario, Nickolas Sharp:

Perhaps the most egregious example of an insider threat is the case of former Ubiquiti engineer Nickolas Sharp. He was sentenced in May to six years in prison for stealing tens of gigabytes of confidential data, demanding a $1.9m ransom from his former employer, and then publishing the data when his demands were refused. To make matters worse, he posed as a whistleblower, alleging Ubiquiti had mishandled and downplayed the breach he perpetrated, planting false reports which cost the firm a loss of over $4bn in value.

Sharp apparently executed his plan out of sheer greed, having already lined up another job elsewhere before stealing the data in question. As a software engineer, he went to great lengths to hide his tracks and was only discovered after an internet outage temporarily took offline the VPN he was using to stay hidden.

Better communication between IT and other teams can help to mitigate malicious threats like this, says ConnectWise’s Beggs.

“CISOs should work with these teams to identify any behavioural challenges employees may be having, undertaking enhanced monitoring if needed,” he argues. “Cross-office collaboration provides a better understanding of departure motivations, helping alert security teams if access needs to be terminated.”

Skillsoft’s Obudulu adds that IT should continuously review access privileges across files, tools and systems.

“This will ensure only relevant people have access to important information such as financial records,” he argues. “Given nearly one-third of employers have suffered a website hack due to ineffective offboarding, CISOs also need a proper strategy to revoke administrative access and deactivate accounts during the offboarding process.”