You May Be an Insider Threat

It’s always hard when the finger is pointing back at us. But sometimes, it is.

If the well-cited Verizon 2022 DBIR stat is to be believed (I sure do), then 82% of all data breaches involve us humans flubbing up in some way. Statistically speaking, it’s hard to imagine that all those incidents are done by ‘that guy’. We have to shoulder some of the blame.

But it’s a landmine out there. Make one wrong step and you could be exposing your multi-million-dollar corporate employer to criminals on the internet, all without knowing it. Here are some ways we may already be the unwitting inside threat.

The more you know.

1. Using insecure networks while working remotely. This is a big one. The ‘work from anywhere’ economy has been a boon for our free time, family life, sense of balance, and even productivity. But not our security. Trusting each remote employee – no matter their department – to have the vigilance of an “IT department of one” is just unrealistic. Up until several years ago, none of us had to worry about a thing beyond keeping our login password safe. Now, a host of security pitfalls await the remote worker, starting with which network you use. Don’t use a public network – that should go without saying – and if you do, use a VPN. Your company should provide you with this. Also, secure your home Wi-Fi with everything from a randomly generated password (password managers can do this) to MFA. It may seem like too much, but you don’t want the neighbor that hacks your router for Netflix to accidentally get access to more than they should.
2. Passing credentials or files to a trusted colleague that shouldn’t be shared. “Hey, can you Slack me your Box login? I just have to upload something to the team project, and I locked myself out.” The answer to that should be, “No.” Perhaps with some handy emojis or nuance to soften the edge, but the point is the same. First of all, scammers could easily be impersonating your colleague. Second, threat actors hack messaging (and email, and online storage) accounts and search for critical data like credential slips, so never give them that chance. Third, trusting anyone else with your password – or sensitive data they themselves can’t access – is just generally unsafe and trends far away from the principle of ‘zero trust’. It’s a dog-eat-dog security world out there and understanding the risks should make both parties more understanding when simple favors (that we did back in the early 2000s) just can’t be done anymore. It’s not personal. It’s just not safe.
3. Chatting about projects may lead to a competitive edge. Threat actors have web crawlers out there that just accumulate information and mine it for the good stuff. Be careful of what you share, either with colleagues on LinkedIn or with a friend via text. Cyberspace is vast and now, more searchable than ever. Never leak anything that reveals how your company makes more money than others – the “secret sauce”. Again, this should be fundamental, but you’d be surprised. Part of the attitude that gets small businesses breached (in record numbers) is “I’m too small to hack” and “Nothing I have is of enough value to put me at risk.” Wrong. Hackers can go a mile on an inch, so even if you think that cool detail about the new release is just a fun fact, it might give them the edge they need to compete or lead to architectural understanding that results in a breach down the road. Be careful.
4. Using unapproved software on work devices. Shadow IT is a real thing. For those of you who don’t know what this is, you might be the flight risk. Any time a department downloads a piece of software or tries a new application – from an innocent workflow platform to an HR tool to a graphic design studio to free photos – that needs to be reported to IT. Why? Because each piece of software is a living organism that is susceptible to its own vulnerabilities, generates its own traffic, integrates with its own (potentially unknown) APIs, needs its own keys rotated, and creates its own problems. New technologies are great. But when they’re uploaded willy-nilly by any which team (or even member) within an organization, the resulting liability web spreads far and wide. Each tool widens the attack surface. Each needs to be accounted for. Legitimate tools are hard enough; especially don’t overstep security and risk downloading personal apps on a work device. We all want to know what we’d look like if we were 80 years old, but a bit of harmless fun – particularly with little-known app developers or unvetted software tools – can lead to wild vulnerabilities, unpatched bugs, and big problems down the road. Don’t be that employee. In the autopsy of a breach, they will find you.
5. Supplying company data to generative AI models like ChatGPT or Bard. This is a problem for our time. Let’s face it; ChatGPT is cool. It’s zany, it satiates our curiosity in an impressive and weird way, and “we’re here for it.” Fine. But we need to be here for keeping our day jobs and staying savvy, too. Generative AI tools – like ChatGPT, Bard, Microsoft Bing AI, and others – can inadvertently give away precious artifacts due to the nature of how they collect data. That discussion deserves a whole other blog in itself, but for now, just know that the risk is so bad, a trend of Fortune 500s is forbidding their employees to use it at work. Security firm Cyberhaven notes that “Our own research found that over the first five months of ChatGPT’s adoption, corporate employees were triggering literally thousands of “data egress” events weekly, sharing everything from confidential data to source code and client data.” Yikes. Be very, very careful about what you share with AI models and how you manage downstream companies that do. They suggest being discreet and implementing AI monitoring tools, to start.

It’s a wild world out there. The more technology complexifies, the more it’s incumbent on us employees (security-savvy or not) to watch our step.

Author Bio

An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.