The rise of the super malicious insider: Yes, we need to worry

DTEX Systems announced the release of a report which identifies a significant increase in industrial espionage incidents and the rise of the super malicious insider persona, and provides evidence that the abrupt shift to remote work has directly contributed to an escalation in psychosocial human behaviors that create organizational risk.

The rise of malicious insider incidents

• The super malicious insider accounted for 32% of malicious insider incidents investigated in 2021
• 72% year-over-year increase in actionable insider threat incidents
• 42% of actionable incidents were related to IP and data theft, including industrial espionage incidents related to the theft of trade secrets, source code, and active collusion with a foreign nexus
• 75% of insider threat criminal prosecutions were the result of remote workers
• 56% of organizations had an insider data theft incident resulting from employees leaving or joining companies
• +200% year-over-year increase in data loss associated with users taking screenshots during confidential Zoom and Microsoft Teams meetings, and
• +300% year-over-year increase in employees utilizing corporate assets for non-work activities.

For more than a decade, insider threats have been categorized as either malicious, negligent or compromised. Based on the findings, a fourth persona has emerged—the super malicious insider. The super malicious insider is a technically proficient employee who is acutely aware of an organization’s cyber security architecture, solutions, and processes and who understands both the technical and human analyst limitations in detecting insider threat indicators.

Sophisticated insider techniques increasing dramatically

Investigations found a dramatic increase (32%) in the use of sophisticated insider techniques across the insider incidents they studied, including a 43% increase in the usage of burner email accounts, a noticeable increase in the use of OSINT practices to conceal identity, and the active avoidance (96%) of techniques known in the MITRE ATT&CK framework.

“If any company thinks they don’t have an insider risk problem, they aren’t looking,” said Rajan Koo, Chief Customer Officer and DTEX Lead with DTEX Systems. “The addition of the super malicious persona in this year’s report provides a wake-up call that traditional cyber security tools, such as DLP, UBA, and UAM, are actively being avoided or circumvented by those with sufficient technical skill and malicious intent.”

“While the increase in the amount and impact of insider risk occurred across industries, we found that it is most concentrated in technology and critical infrastructure at 33% and 24%, respectively,” said Armaan Mahbod, Director of Security and Business Intelligence, Counter-Insider Threat at DTEX. “The risk to critical infrastructure entities in the Five Eyes nations is especially significant as any compromise can be damaging to the national security of these countries and the safety and well-being of its citizens.”