Latest News & Updates

January 22, 2024
 / 
Articles
 / 
Cyber

Key points

  • AI is fueling a cyber arms race, but malicious insiders remain a stubborn threat to organizational data and intellectual property and require a holistic and attentive security posture.
  • Case patterns in malicious insider cases reveal two common models: (a) entitlement combined with a precipitating event; and (b) “Ambitious Leader” cases in which a high-level worker enlists colleagues to steal intellectual property for a larger purpose.
  • The foundation of better security for intellectual property is an accurate understanding of risk, as this relates to an organization’s ability to detect the insider’s actions.

Cyber insecurity ranks high among the top risks facing the world, according to 1,490 experts across academia, business, government, the international community and civil society (World Economic Forum Global Risks 2023-2024).

“Technology-enabled proliferation of illicit activities in new markets and geographies could have numerous implications at a state, company, and individual level,” the report warns. “New tools and capabilities will open new markets for criminal networks, with cybercrime offering an increasingly low-risk and low-cost revenue stream for organized crime. Phishing attacks, for example, can now be easily and accurately translated into minority languages using generative AI.”

Generative AI will add to the complexity of attacks, notes Global Cybersecurity Outlook 2024, a report by WEF and Accenture. Generative AI chatbots are making it much easier for cybercriminals to create believable phishing emails and write custom malware, for example.

Just as cybercriminals gain access to recent technologies that increase the speed and level of tailoring of their attacks, organizations are looking to respond in kind with more sophisticated technology tools. And it is this cybersecurity arms race—AI-enabled cyberattacks vs more sophisticated technology defenses—that gets the most attention.

But for organizations trying to protect information and data people are still a problem, in the form of malicious insiders.

Insight on the Insider Threat to Intellectual Property

For decades now, the CERT Program at Carnegie Mellon University’s Software Engineering Institute has been gathering and analyzing actual malicious insider incidents. Based on case patterns, it identified four categories of insider threat cases: IT sabotage, fraud, theft of intellectual property (IP), and national security espionage.

One cause behind insider IP theft is a sense of entitlement among workers born out of their contributions to a project or knowledge. If an employee forms a sense of entitlement, and there is then a precipitating event like a denial of a request, perceived mistreatment, or a job offer by a competitor, it can trigger a motivation to steal (see the accompanying figure at bottom). Or, to them, to simply “take what’s mine.”

Researchers from the Australian Institute of Criminology describe how a distorted idea of ownership evolves, laying the foundation for theft. “Employees, especially those in large organizations, may presume personal ownership or entitlement by virtue of occupation (of a position or space) or through regular use/access. The resource becomes “my office”, “my computer” and “my budget”. This, in turn, seems to provide moral justification for taking the resource for personal use.” While often resulting in only petty theft of office supplies, this distorted perception can lead to large frauds or data theft (“The Psychology of Fraud”).

CERT researchers describe the progression. Insiders typically start with an honest desire to contribute to the organization. For individuals predisposed to feelings of entitlement, this attitude grows as he or she invests time and effort, and a tangible product of that work emerges. “This sense of entitlement can be particularly acute if the insider perceives his role in the development of products as especially important,” notes CERT research. “If the insider’s work is focused on the contribution to a particular product, for example a commercial software package, or the development of specific business information like customer contact lists, he may have a great sense of ownership of that product or information.”

Awareness is the key to prevention in such cases, say experts. “An organization’s accurate understanding of its risk is directly related to its ability to detect the insider’s actions, which, with sufficient levels of technical and behavioral monitoring, may be discoverable.”

Researchers place the other type of intellectual property theft under the rubric of the “Ambitious Leader Model.” These are cases in which a leader enlists other insiders to collude in stealing IP for some larger purpose. Crimes under this model generally fall into three categories, listed from the most to least common:

  • Insider has specific plans to develop a competing product or to use the information to attract clients away from the victim organization.
  • Insider works with a competing organization to help his new employer.
  • Insider sells information to a competing organization.

One case example: The head of the public finance department of a securities firm organized his employees to collect documents to take to a competitor. Over one weekend he then sent a resignation letter for himself and each recruit to the head of the sales department. The entire group of employees started working at the competitor the following week.

As you would expect, this type of IP theft is not as common as theft driven by a sense of entitlement. It involves more intricate planning, a higher level of deception, and the recruitment of others into the leader’s scheme. However, because this crime is typically more thought through and the primary driver is the potential for gain, it often carries a higher potential for IP loss.

As you would expect, this type of IP theft is not as common as theft driven by a sense of entitlement. It involves more intricate planning, a higher level of deception, and the recruitment of others into the leader’s scheme. However, because this crime is typically more thought through and the primary driver is the potential for gain, it often carries a higher potential for IP loss.

How do you stop Ambitious Leader cases?

Compared to entitlement cases, stopping thefts under the ambitious leader model is complicated because they typically lack employee disgruntlement as a precursor to the theft. In cases where employees feel compelled to “take what’s theirs,” they often exhibit signs of job dissatisfaction before they act. Ambitious leader cases, however, are born out of calculation. There are signs of job dissatisfaction in only 10% of such cases, research indicates.

Although behavioral signs are not usually present, cases that fall under the Ambitious Leader model can be easier to uncover because they have “more potential indicators for early warning,” according to researchers. These indicators hold implications for uncovering crimes in the planning stage and for prevention.

A basic first step, advise CERT researchers, is to warn potential malicious insiders that the organization is concerned about IP theft.

IP agreements don’t prevent theft—in 48% of theft cases studied there was an agreement explicitly stating that the organization owned the stolen information—but these agreements do:

  • raise the likelihood that deception will be necessary to pull off a theft,
  • increase employees’ concern over being caught, and
  • raise awareness among insiders that the organization cares about theft.

Combined, it seems IP agreements may help to prevent and crack cases. The researchers conclude: “If the [victim] organizations involved publicized its concern and pursued violations, this may have increased the odds of deception while providing another observable indicator of insider risk.”

Organizations must also be on the lookout for planning activities. Cases involving collusion to steal IP involve planning for a month or more before the insider’s departure from the organization in 71% of cases. Extensive preparations that typically precede Ambitious Leader thefts provide an “additional point of exposure of the impending theft,” according to researchers. In addition to the recruitment of other insiders, pre-theft activities may include creating a new business (in 43% of cases); coordinating with a competing organization (43%); and collecting information in advance of the theft (38%).

“There were behavioral or technical precursors to the crime in all of the Ambitious Leader cases,” researchers noted. “One insider, over a period of several years, exhibited suspicious patterns of foreign travel and remote access to organizational systems while claiming medical sick leave. It is not always this blatant, but signs are often observable if an organization is vigilant.”

Additionally, unlike “entitlement” cases in which workers typically misappropriate information to which they have authorized access, “ambitious leader” cases typically involve attempts to gain access to information to which an employee is not authorized. This provides another opportunity to spot this type of information theft.

Finally, technology monitoring does play a key role. In entitlement cases, employees typically take “their” information in conjunction with their departure. On the other hand, in Ambitious Leader schemes, individuals often begin to steal information more than a month prior to their departure from the organization. “Many of these involved large downloads of information outside the patterns of normal behavior by those employees,” according to researchers. Technical monitoring, if present in these cases, provides an opportunity for detection.