Keep your friends close and your employees closer: the rise of insider threats

According to a report by Intrusion, cybercrime will cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015. To put this into perspective, this is over double the revenue generated by the oil and gas industry, which generates approximately £5.3 trillion annually.

At a growth rate of 15 percent year on year, cybercrime is already one of the most profitable illegal occupations in the world, outstripping even the global drug trade. In fact, according to Intrusion’s research, cybercrime represents the greatest transfer of economic wealth in history.

For such reasons, Intrusion CEO, Jack Blount, views cybercrime as one of the most significant threats to present day business operations and economic prosperity.

“Cybercriminals know they can hold businesses — and our economy — hostage through breaches, ransomware, denial of service attacks and more. This is cyberwarfare, and we need to shift our mindset around cybersecurity in order to protect against it.”

Jack Blount, President and CEO at Intrusion, Inc.

But while this notion of cyberwarfare can certainly help us to take cybersecurity more seriously, it also cultivates the misleading perception that cybercrime is a black-and-white, good guys vs bad guys type situation, when a deeper look tells us otherwise. Recent research published in Cyber Security Magazine from IT hardware company, Apricorn, indicates that up to 70% of data breaches can be traced back to the actions of employees, i.e. result from insider threats.

Other findings further support the conclusion that insider threats are on the rise, with Verizon’s 2024 Data Breach Investigations Report (DBIR) finding that 76% of data breaches involved insiders in 2023, up from 74% in 2022. Along similar lines, Splunk’s 2024 State of Security Report found that 42% of security leaders are experiencing insider attacks with increasing frequency.

Insider threats can be malicious and intentional, or accidental. Either way, they can cost a company a huge amount, even leading to liquidation in some cases.

Reassuringly, the majority of insider threats are attributed to accidental mistakes made by employees. According to Verizon’s research in the DBIR, malicious insiders accounted for only 8% of data breaches. The remaining 68% of breaches involving insiders were unintentional and due to accidents or negligence.

Nevertheless, malicious insider attacks might be on the rise, with Apricorn’s research finding that of the 200 IT decision makers they surveyed, 20% cited intentional/malicious insider threats as the main cause of a data breach and only a minimally more 22% who cited unintentional/accidental insider risk as the main threat.

While malicious insider attacks still account for just a minority of overall cyberattacks, they can be some of the most dangerous and vicious attacks, given that employees have insider knowledge of their company’s operations and greater access to their data. This means that they have the potential to exploit the company’s lesser known vulnerabilities and really hit them where it hurts.

Below, we look at the key appeals and motivations behind cybercrime in order to help businesses better understand and guard against malicious insider threats.

Common motivations

The motives of cybercriminals do not fall under a neat bracket. The occupation is an opportunistic one, with the potential payoff varying according to factors related to specifics of the company targeted and the data that is successfully extracted. Nevertheless, most cyberattacks have a financial component to them, with leaked data often being used as a leveraging tool for blackmail and extortion.

Nevertheless, besides the rich financial rewards of a juicy payoff, there are several other potential draws to the occupation.

1. Cyber intelligence is now at the forefront of most important business operations. Cybercrime thus has significant appeal for individuals and groups who may have political or ideological agendas, and wish to impact society by sabotaging businesses and organisations in an anonymous and underhanded way. This motivation is commonly referred to as hacktivism, and would likely only be a motive for insider threats in cases where an employee was significantly opposed to the actions of their company or the direction it was going in.
2. Cybercrime is really all about leveraging power through withholding or leaking data. This means that it may hold appeal for individuals who are seeking a level of control and power over an organisation that is beyond the realistic ambitions they might have for internal promotion and recognition. Personal vendettas, harboured resentments, and individual relationships can play into this motivation – research by Gallup finds that employees who feel that their manager is invested in their strengths are three times more likely to be loyal to the company.
3. Cybercrime has the potential to expose or steal a business’ IP, proprietary information, and trade secrets. Thus, it plays a key role in corporate espionage, particularly in public sector industries where the data at stake is more likely to be highly confidential and may in some cases have broader international implications. Therefore, employees with significant external affiliations and loyalties may engage in cybercrime for this reason.

Splunk Security Strategist, Audra Streetman, shares further perspective on some of the factors and situations that could give rise to malicious insider attacks.

“There are several reasons why an employee might act intentionally or unintentionally as an insider threat. Intentional insiders may harbour personal grievances due to, e.g., being passed up for a promotion or other perceived slights. You could alternately speculate that an individual might be most inclined to harm the organisation when facing reprimand, demotion or termination. This could result in sabotage targeting an organisation’s physical or IT infrastructure. Malicious insider threats may also act for personal benefit, such as exfiltrating banking data for financial gain or even colluding with someone outside of the company to facilitate fraud or intellectual property theft. This is often accomplished through privilege misuse and in some cases, employees may be acting as a spy for outside governments.”

Audra Streetman, Security Strategist at Splunk SURGe

Previous cases of cybercriminals who have been caught indicate that these factors are big motivators of cybercriminal activity. This is clear to see in a Lawfare article written by Mark Vantanyan, which details the personal motivations of various individuals who were caught for cybercrime back in 2017. In particular, one of the case studies in this article highlights how an individual’s inclination towards cybercrime stemmed from a desire to prove their worth. This motive was then further accelerated by recruitment initiatives from hacking collectives.

As this case demonstrates, the motivations for cybercrime are likely to consist of multiple, interrelated factors. While recruitment initiatives from hacking groups are on the rise, this doesn’t necessarily mean that employees are more likely to take the bait, as Streetman additionally pointed out.

Nevertheless, it does mean that employees who already have some motivation for and inclination towards cybercrime might be more likely to actually go through with it. This is likely particularly the case for individuals who are motivated by recognition for their talents and feel undervalued within their company.

Stereotyping the cybercriminal

Stereotyping people can take us down dangerous and misleading paths. However, there are certain cases where stereotyping can help us identify and better understand a set of individuals whom we otherwise have little way of identifying.

In a LinkedIn article, cybercrime lawyer Bhagat Singh Sharma attempts to unearth the psychological make-up of cybercriminals, looking at some traits that perpetrators typically have in common. He highlights the following characteristics, most of which are shared with more general criminal profiles:

• High intelligence
• Lack of empathy
• Narcissism and egotism
• Low risk aversion
• Tendency towards addictive behaviour

What really sets cybercrime apart from other criminal behaviour is the highly anonymized and flexible nature of the occupation, facilitated by the vast array of digital tools to manipulate and conceal identities online. As opposed to most other forms of crime, cybercrime can be carried out from the comfort and privacy of the perpetrator’s home, or even on the go.

This opens up cybercrime to a wider set of individuals than those who might carry out traditional crime. Even the most ordinary individuals, perhaps juggling a busy family life and full-time job, might be tempted to turn to cybercrime for financial gain.

Additionally, Sharma points out that cybercrime has a lower entry bar than traditional crime. This makes it more accessible to amateurs and youngsters who may take to it as a hobby/way to develop their digital prowess, or as a gateway crime to whet their appetite for further criminal behaviour.

Last but not least, a key facet of cybercrime which makes it appealing to a broader range of people is the lower risk associated with it – cybercriminals are far less likely to be caught than traditional criminals. Furthermore, cybercriminals who have been caught have tended to serve far milder sentences than their counterparts operating in the physical world, and in many cases, evade prosecution altogether. The RAND corporation, for example, found that only 0.05% of cybercriminals in the U.S. are ever actually prosecuted. This is in large part due to the sheer volume of less severe or even unsuccessful attacks carried.

In the case of insider threats, one of the main risks that employees would be taking is losing their job and a decent reputation in the business community. Intentional insider threats are therefore unlikely to come from individuals who are highly motivated and career-focused. In this sense, workplace culture and job satisfaction could be a significant factor in reducing the risk of malicious insider threats.

The impact of workplace culture on insider threat risk

Workplace environments and culture have a big impact on employee satisfaction and loyalty. With the prevalence of remote/hybrid working, alongside an increase in the amount of companies hiring freelancers for temporary projects, creating a strong workplace culture with closely-knit teams isn’t as easy as it used to be. Now, as increasing numbers of employees continue to return to the office, the more complex and nuanced impacts of the changes in work culture that have taken place since the pandemic are becoming evident.

For example, Amazon’s recent run-in with European data protection authorities raised concerns about the company’s monitoring practices for its employees, and resulted in a €32 million fine for transgression of GDPR policies. While this is an extreme example, company distrust of employees could be a more general trend resulting from the monitoring practices companies implemented for remote working models during the pandemic.

Ironically, while companies with stringent monitoring and surveillance practices are clearly attempting to prevent employees from stepping out of line, it may actually increase their risk from malicious insider threats. This is because it creates a reciprocal culture of distrust and discontent amongst employees.

Commenting on Amazon’s recent exposé and the issue of employee surveillance, Vivek Dodds, CEO of compliance company, Skillcast, warns that excessive surveillance could lead to a more disengaged workforce, resulting in increased risk from both accidental and malicious insider threats.

“While excessive employee monitoring may not directly increase the risk of insider threats, it does pose significant indirect risks. An over-monitored environment can lead to a more disengaged workforce. When employees feel constantly surveyed, their job satisfaction may drop, potentially causing a decreased commitment to the organisation. This disengagement may lead to perfunctory performance, increasing the likelihood of accidental errors, lapses in judgment, and outright negligence, all of which heighten the risk of regulatory breaches.”

Vivek Dodds, CEO of Skillcast

As AI tools are beginning to be used performance monitoring purposes, companies need to take care not to misuse these tools, and ensure that they are listening to employee feedback and preferences regarding where and how AI tools are used in their workplace. Even if not used for monitoring purposes, the integration of AI into an employee’s workload could impact how valued they feel within the company, and their level of engagement and loyalty. In turn, these factors could contribute to the risk a company faces from insider threats.

The takeaway

An underestimated factor which could put businesses at increased risk from insider threats is workplace culture. This directly relates to key aspects of employee experience such as how valued they feel, how much freedom they have in how they work, and opportunities for progression and recognition.

In a research report, Criminologist M. Weulen Kranenbarg advises state correction facilities to reduce reoffending rates in cybercriminals primarily by stimulating offenders to satisfy their curiosity, intelligence, and skills in legitimate and non-harmful ways.

Businesses should take heed of this advice as not just a correctional course of action, but a preventative measure that can help to reduce the risk of malicious insider threats while also fostering a more engaged and value-centred work environment.