What History Teaches Us About Today’s Insider Threats
While insider threat attacks continue to make waves in the news, the origins of insider threats go back decades and even centuries. Insiders have emerged in religious texts, insiders have brought down empires, and insiders have stolen money and information from various organizations. There are few industries or organizations that have escaped the threat from their own people at some point in history.
Let’s look at the history of insider threats and how their motivations have developed over time.
When Did Insider Threats Start Becoming a Problem?
Personal religious views aside, one of the world’s oldest monotheistic religions, Judaism, records a great fall from perfection not long after the creation of the world. What makes this fall more alarming is the idea of the threat coming from within, not from outside. For those unfamiliar with the story, an insider within the Garden of Eden enticed Adam and Eve to eat a forbidden fruit. Many other religions share similar versions of this story.
Numerous kingdoms and civilizations have also met their fate at the hands of insiders. Roman emperors were protected by an elite force known as the Praetorian Guard. Over time, the guards realized the power they held, and started assassinating emperors who were against them while establishing more advantageous political partnerships. Caligula (in 41 AD) and Galba (in 69 AD) are among the most infamous victims of assassination.
Insider threats within the financial sector have been around for centuries. Let’s go back to 1792, when a person by the name of William Duer was appointed as Assistant Secretary of the newly established U.S. Treasury. In his position, Duer was privy to financial information traders were unable to obtain. Having this level of inside access got to Duer, and he eventually left his position at the Treasury for a new career trading bank stocks. History identifies Duer as a person who saw nothing wrong with using this information to make money. Eventually, people caught on that Duer was trading with insider knowledge and he was sent to Debtor’s Prison. On his way to Debtor’s Prison, Duer kicked off a panic, as people realized they had lost all their money. This is the first instance of a U.S. stock market crash.
How Insider Threat Research Has Helped Pinpoint Motivations
Once people got a better sense of the types of insiders emerging over time, research on insider behaviors and motivations became a bigger priority to improve security. Current research on insider threats has built its foundation on research that came before it. Project Slammer was one of the earliest research programs supported by several federal agencies. The goal of Project Slammer’s research was simple – what motivates people towards espionage? Within counter-espionage circles, ideology (such as Communism) was typically identified as the leading cause to turn people into spies.
However, Project Slammer’s findings revealed that the cases of spies being motivated by ideology were outliers. Ideology was not a significant motivator in espionage cases, only influencing eight percent of espionage cases, while 52 percent were motivated by financial gains, and 18 percent were influenced by revenge. This research came at an opportune time. The number of espionage cases grew every year until it peaked in 1985 with six new, unique cases of espionage.
Current Insider Threat Research Confirms Common Motivations
Carnegie Mellon University’s Software Engineering Institute (SEI) has taken the lead on current insider threat research. Research results between Project Slammer and SEI research are supportive in nature, which is important because we can confirm that money and revenge are leading motivating factors that drive people to harm organizations. Research also shows insiders join organizations for legitimate reasons, but decide to turn against the organization for any number of reasons.
When it comes to money being a factor, insiders aren’t always looking to cause financial harm to an organization. They could be in a desperate situation. It’s easy to envision someone with a gambling addiction turning into an insider threat, but what about a person who has a family member with a life-threatening disease and mounting medical expenses?
Why Technology Alone Can’t Combat Malicious Insiders
All the knowledge the security community has gained from insider threat history and prior research confirms that technology alone can’t detect insiders. You need to understand who these actors are and what drives them to act. Unlike an external actor who can be detected through a tool, insiders live and breathe inside the organization. Only a portion of their behaviors can be assessed through a technology solution. The problem is a lot of organizations depend on their technology as the only solution to stop insider threats.
Consider this example. An organization wants to identify when customer and employee data leaves their network. To close that information gap, the organization employs Data Loss and Prevention (DLP) technologies. Knowing this technology is employed, the insider prints the critical data and proceeds to scan it and make a PDF copy. Finally, the insider emails the PDF to his or her personal account without triggering alarms from the DLP solution.
Was the DLP solution a failure? No, it was set up correctly and functioned properly. However, the insider knew a workaround that the PDFs would not be scanned by the DLP solution.
Ultimately, technology still plays a critical role in insider threat detection. Technology needs to be used to collect data points, detect patterns of abnormalities, and support an insider threat program. Technology combined with people and processes is the best strategy to tackle insider threats. As history and research has shown us, while tools can test behaviors, humans need to assess those behaviors.
Noah Powers is managing consultant at Delta Risk LLC, a Chertoff Group Company. Read more Delta Risk blogs here.