Insider threats – when an employee illegally discloses confidential information – are often a result of sophisticated social engineering. And, as we enter into difficult economic times, the potential for this to happen increases.
But why are some employees encouraged to act illegally? And how can you prevent it?
How are insider threats created?
To understand how cybercriminals can turn employees against their company, it helps to look at how intelligence officers recruit spies. There are usually four steps:
- Spotting. This is when a cybercriminal will identify their target, based on the type of information they need. At this point, social engineers will look at online user profiles and network connections to work out whether a person can help them get the information they need.
- Assessing. It’s at this point that the social engineer will do more in-depth research to understand the target’s vulnerabilities. For this they often use social networks, where people tend to share personal information, to learn about specific stressors that could be manipulated. For example, a recent divorce, financial hardship, a toxic work culture, or strong political beliefs.
- Developing. This is when the cybercriminal builds trust with the target and begins to distort their perception of risk. Most people will not commit an illegal act voluntarily. They need to believe that benefits of the act will outweigh the negative outcomes, and rationalise their actions.
- Recruiting. After building trust with the employee, and getting them to reframe their perspective on a particular action, the social engineer can then get the target to disclose confidential information from their company.
How to prevent insider threats
The most important way to prevent these types of attacks is to educate your employees. Everyone has vulnerabilities, so it’s important that they know malicious actors could try to exploit these. Tesla was successfully able to prevent an insider threat after one of its employees was approached by someone who tried to persuade them to install malware onto the company’s network system in exchange for $1m. Thanks to awareness training, the employee was not enticed by this, instead reporting it to Tesla’s insider threat team.
It is also worth encouraging employees to consider what they are posting on social media, and how this might provide information that social engineers can use. Finally, it’s important to build trust among employees. Those who are happy at work and feel valued by their employers are less likely to turn against them.