Teleworking and Insider Threat. New opportunities for an old acquaintance

Julian works in the sales department of an automotive components company and has good business relationships with distributors and suppliers in the sector. In the past, he has on occasion given in to proposals from one of these suppliers to adjust prices and orders in exchange for monetary compensation, from which he has personally benefited. This wasn’t particularly risky and could be concealed quite easily through his department’s usual processes and operations. In this way, Julián obtained an extra income to which he has already become accustomed.

The coronavirus health crisis surfaced and he started teleworking. His company communicated that this situation would be prolonged, both intermittently and in the long run, according to periods and circumstances. Although for now it seems that he will not be affected by the layoffs and employment regulations announced by his company, Julián’s wife has lost her job in the agency and the family has lost income. Now Julián needs to earn more money and has spoken to the distributors and suppliers he used to work with. They tell him that they are waiting for the markets to recover to return to previous levels of activity and to continue the business they had with him.

In these tough economic times we are facing, it has also occurred to Julián that some of his company’s direct competitors might be interested in collaborating with him, since he has access to a lot of information about its prices, margins, strategies and even plans and projects. Working from home, he reasons, this should all be even easier than before.

Teleworking and business continuity: digital transformation and cybersecurity

The coronavirus pandemic has forced companies and organisations to put accelerated employee work schemes in place. As such, teleworking – a phenomenon that was unimaginable at the beginning of 2020 – has become fundamental. Some companies have found a more or less temporary working solution for all staff, which seems to have been designed mainly to aid the reconciliation of work and family life. Some learnt to telework on an improvised basis at the beginning of this crisis whilst others have had to close down for a while (or forever!) as they were unable to adapt to carrying out their activity without physically being in the workplace on a daily basis.

Teleworking has thus become, based on facts, a selective parameter that clearly shows the competitiveness of a company and its ability to survive and generate business, especially in complicated environments that require fast and flexible responses.

This greater or lesser adaptation to the working mode of teleworking is an adequate parameter against which to measure the strength of an organisation and its resistance to uncertainty. It’s another case that highlights the Digital Transformation’s value to businesses or, in other words, that illustrates the impossibility of business survival if it is not embraced.

With telework already in place, companies must adjust their cybersecurity plans to this new, more decentralised and variable environment, in which new opportunities also arise for the usual hostile actors. The figures for digital fraud, phishing and other threats have not diminished with the more intensive implementation of teleworking. In addition, attention should also be paid to the actions of other groups who do not fall within the categories of cybercrime, hacktivism or traditional attackers and who can be very harmful to a company or organisation. For example, those within the Insider Threat category.

The ‘Insider’ hasn’t left; he’s teleworking.

The threat of the ‘Insider’ is not going to disappear in the era of teleworking. Regardless of whether they work intermittently or during extended periods of time, why would an Insider who has been committing fraud on-site – in their company’s corporate facilities – discontinue their activity now?

The Insider’s work circumstances may have changed, but their motivation and willingness to act in such a way and also their abilities to do so successfully remain unchanged until they are exposed. What will teleworking change? Will the Insider’s cause – which led them to act as such on-site – be undermined now that they have to ‘work’ from home? Most probably the answer will be no, that it will not change and that in addition the negative economic scenario derived from the coronavirus pandemic will sharpen aspects such as the Insider’s personal economic motivation or their tendency to act under the sponsorship of an external actor, such as one of their organisation’s competitors.

So, the Insider’s willingness and ability to act do not seem to disappear. In fact, a more intensive implementation of teleworking will open up additional opportunities to the Insider as they adapt to the new environment – in other words, ‘outside the office, … but with access to it’. These kinds of new opportunities have a lot in common with those used by the disloyal employee who is temporarily displaced or expatriated. In both cases, and without adequate adaptation of cybersecurity plans, organisations will be more exposed and vulnerable to internal threats in these and similar scenarios.

The challenges of teleworking

.
Additionally, the Corporate Plans in relation to Insider Threats should be updated to take into account the reality of teleworking, and with them the Cyber Intelligence Tactics, Techniques and Procedures (TTPs) on which they were designed. As a general rule, these TTPs should focus on the human factor of the threat, without forgetting its digital component and working a lot with a series of signs that the Insider is going to stop their activity. Essentially, this will be detectable by specialised tools, such as the study of social networks (SOCMINT) or the interactions based on the use of Virtual HUMINT, in addition to others of a technical nature.

What kind of hostile actions can an Insider carry out when teleworking? Can these actions be detected by the classic security measures implemented by an organisation? Let’s look at some examples:

• Outside the office, the Insider facilitates physical access to their team by people outside their company (for example, a competitor who sponsors them).
• On site (e.g. at the Insider’s home) a hostile actor with impressive digital capabilities uses the Insider’s devices by assignment from the Insider.
• On request, the Insider takes specific ‘screenshots’ in their work sessions (taken with their mobile device, for example).
• With greater schedule freedom, the Insider can more easily copy (for example, onto a personal rather than a corporate device or on paper) data and information that they need or that has been requested for subsequent delivery to their sponsor.
• The Insider can fraudulently alter security information (passwords, accesses, etc.).
• The Insider can camouflage their hostile actions by simulating digital incidents or equipment incidents, taking advantage of the fact that their company’s corporate IT support is operating remotely.
• In the same way, the insider can simulate errors in networks, routers, VPNs, etc.
• The Insider can record video conferences that address issues of interest to their objectives.
• Whilst teleworking, it is easy for the Insider to transfer information and digital assets from corporate equipment to other individuals or third parties.
• Likewise, copying digital assets to a USB or other drives is easier when teleworking than working on-site. The extraordinary circumstances of teleworking may also ‘justify’ this type of practice, which is usually not allowed in on-site work.

How do intelligence capabilities help to detect Insider Threats? The key is to focus research efforts on the human factor of the threat, integrating tasks and research with studies into the digital behaviour of the Insider, analysing parameters such as their PC connection times, patterns of these connections and comparisons of the data obtained with those which were routine in the usual on-site work scenario.

It is also about looking for human error in the Insider’s behaviour. This human error always exists and becomes more detectable as time passes. Moreover, the Insider tends to relax because they have not been detected. Teleworking also brings an added subjective feeling of impunity and anonymity when it comes to carrying out hostile actions.

In their constant process of improving cybersecurity, organisations must also design and implement internal procedures specifically adapted to their staff teleworking, based on the idea that this will be a working modality that, increasingly, will operate permanently or intermittently but also that will be developed over an extended period of time. In addition to the Cybersecurity plans, corporate Insider Threat plans will also need to be updated.

Discover our work and Cyber Intelligence services at www.tarlogic.com