Welcome to the third installment of our Threat Actor Profile series where we analyze the main categories of actors that represent a threat to your organization. This series is designed for executives. Because we understand the unique roles and responsibilities of executives, and corporate leadership, we’re focused on cyber risk as an enterprise risk—and help explain it without getting lost in the weeds. Our fourth threat actor group are insider threats.
Click here to read our previous posts, on Nation State Actors, Cyber Criminals, and Hacktivists.
Threat Actor Profiles: Insider Threats
Cyber attacks conjure images of black hat hackers and external network penetrators. But, for one class of attackers, breaking into your organization’s network isn’t necessary.
Insider threats represent members of your organization that leak or distribute sensitive information. The insider threat can come from any individual affiliated with your organization – including employees, former employees, contractors, and business associates. To fulfill their duties as employees, these individuals need access to information. Unfortunately, these credentials can be easily abused to harm your organization.
Insiders target any information that is valuable. In the competitive industries of technology and transportation, perhaps no information is more valuable than the intellectual property behind self-driving cars.
You Wouldn’t Download a Car…
In 2013, Google invested $250 million in the ride-sharing app Uber. Today, both tech giants are involved in a legal battle that’s disrupting the disruptors.
Earlier this year, Google’s autonomous vehicle division, known as Waymo, filed a 28-page suit against Uber in the U.S. District Court of San Francisco. The suit alleges that a team of ex-Google employees “downloaded over 14,000 highly confidential and proprietary design files for Waymo’s various hardware systems” a few weeks before leaving the company. Uber denied these claims, calling them “a baseless attempt to slow down a competitor.”
The design feature in question is the critical Light Detection and Ranging system, known as LiDAR: the part of a self-driving car that collects and interprets information in real-time. This system, which is also used to pilot drones, is notorious for being expensive to purchase and time-intensive to develop. Google was working to code its own LiDAR system, which would reduce the overall cost of a self-driving car by 90%.
At the center of the suit is one individual: Anthony Levandowski. In January 2016, after nine years as a Google employee, Levandowski left Google’s self-driving car project to found Otto, a self-driving vehicle start-up. Uber acquired Otto six months later in a deal reportedly valued at $680 million. This suspicious timeline isn’t the only evidence. According to Google, Levandowski allegedly downloaded special software onto his company laptop to exfiltrate the design files from Google’s servers.
While the legal battle between Uber and Google is ongoing, what is clear is that insider threats can harm business operations especially when insiders have access to proprietary information.
Executive Actions and Considerations
Insider threats are most notable because they are difficult to detect and prevent. Although some experts contend that identifying and monitoring disgruntled employees is possible, this strategy can quickly become expensive and burdensome. Despite the difficulty, there are a few steps organizations can take to protect themselves against insider threats.
- Enforce Separation of Duties. Separation of duties introduces redundancy into daily operations by requiring two people to perform important or highly sensitive tasks. Separation of Duties ensures that a single person does not have full control over sensitive operations.
- Enforce Need to Know. Limit employees’ access to data and limit their ability to change that data. Give employees the bare minimum amount of information and permissions needed to perform their job duties.
- Enforce Mandatory Vacations. An employee who is well-rested and happier is less like to turn against the organization. (Perhaps true.) But more importantly, periodic vacations serve as an opportunity to audit employees and investigate potential fraud.
- Establish Policies and Procedures Focus on Prevention. Chaos is the enemy of security. Standard, clear, and enforceable policies and procedures communicate to employees what is and is not allowed.
- Remember the “accidental insiders.” While the Google case is an example of a malicious insider threat, not all insiders set out to cause chaos for selfish reasons. Employees with the best intentions can be manipulated or duped into revealing data by malicious actors. Your employees are your organization’s greatest asset and greatest vulnerability. The best way to protect yourself from an accidental insider is to make sure your employees are aware of cyber risks and prepared to mitigate them.
When constructing a risk management strategy, companies must know their threats. To learn more about how to build and execute a risk management strategy that considers the diverse threats organizations face, join us at our Cyber Resolve seminar in NYC on May 1. Prefer private training for you and your fellow members of the C-Suite? Contact us. We’ll bring the education to you