Global Insider Risk Report: Insiders Are Leaving the Door Open to Nation State Abuse
Trusted insiders have never been more vulnerable to foreign interference, as nation states increasingly exert their influence and stealth to socially engineer their way into mission-critical entities.
SAN JOSE, Calif.–(BUSINESS WIRE)–DTEX Systems, the global leader for insider risk management, today released its 2024 i3 Insider Risk Investigations Report – Foreign Interference: Special Edition. This year’s report sheds light on the growing threat of foreign interference and IP theft and calls for collaboration and information-sharing to “uplift the protective security resilience of our most mission-critical agencies and entities.”
“Ongoing geopolitical tension against a backdrop of technological disruption has changed the security landscape as we know it, blurring the lines between cyber, physical, and psychological threats… In 2024, fighting ransomware is not the number one conversation to be having. Protecting trusted insiders (and the assets and systems they are entrusted with) against foreign influence is the ‘how to’ conversation to be having and solution to be driving for,” the introduction states.
According to DTEX, there has been a 70% increase since 2022 in the number of customers asking for support in protecting their organizations against foreign interference, with most requests coming from critical infrastructure and the public sector.
The findings, based on more than 1,300 investigations across DTEX’s global customer base, show that 42% of all investigations involved theft of IP or other non-proprietary data. The tech sector (which includes semiconductor and artificial intelligence (AI) companies) was hardest hit, accounting for 41% of all IP theft incidents, followed by pharma (20%) and critical infrastructure (including energy and telecommunications) (14%).
The report also reveals customer sentiment around AI, with 92% of organizations identifying internal use of AI tools as a key security concern.
Uniquely, this year’s report includes specific insights into the actions and inactions of super malicious insiders based on the ‘Insider Threat Kill Chain’ – the key stages leading up to data exfiltration.
“One of the most interesting and unexpected findings from our investigations was that only 12% of super malicious insiders, such as those colluding with nation states, are actively bypassing security controls. This underscores the reality of super malicious insiders flexing their tech know-how to avoid getting caught in what is fast becoming a psychological arms race,” DTEX Systems CTO and Head of i3 Investigations and Engineering Rajan Koo said.
The report also cautions about the rise of the “socially engineered insider”, as foreign state actors increasingly exert their influence and stealth to target, recruit, plant, and exploit insiders. The report also warns about the growing threat of espionage through legitimized channels, with reference to China’s Thousand Talents Program.
“Foreign interference and IP theft have reached all time highs. We’ve already seen this time over in the headlines, and our investigative findings confirm this reality. While we have seen great progress with insider risk program maturity across the board, the fact remains that no single person, entity, or program can combat the threat of espionage alone. Now more than ever, the public and private sectors must band together to accelerate knowledge transfer and skills development. It is our mission to enable and accelerate best-practice information sharing among trusted allies in the spirit of uplifting insider risk management and, in turn, national security,” Koo said.
Key findings:
- A statistically significant number of malicious insiders display anomalous reconnaissance behavior compared with their peers. Thirty-two percent of malicious insider investigations included anomalous reconnaissance behavior; 13% included unusual and repeated research into people and authors of ‘crown jewel’ topics; 9% performed external and internal research on corporate security controls; 5% actively exercised internal security controls (e.g., sent innocuous data via an unapproved medium).
- Most malicious IP theft investigations (64%) included some form of data preparation, aggregation and/or conversion. Thirty-seven percent of all unusual aggregation steps included the conversion of data to some form of image or PDF (e.g., screenshots) while 22% had some form of data compression in addition to encryption.
- Most malicious insiders try to cover their tracks. Seventy-seven percent of sophisticated malicious insiders attempted to conceal their activity to evade detection; 35% attempted to conceal the source of their internet connection, including private browsers, VPN, mobile hotspots, etc. In addition, DTEX saw a 25% increase in the usage of burner email and encrypted messaging accounts since 2022.
- Most organizations want help managing AI risk. As many 90% of organizations want support with employee monitoring to mitigate AI-associated risks.
- Most investigations involved IP or data theft (43%), followed by unauthorized or accidental disclosure (24%), sabotage (17%), and fraud (9%). The sectors most vulnerable to IP theft incidents are tech (41%), followed by pharma (20%), and critical infrastructure (14%).
- Insecure web applications and ‘data bleed’ between corporate and personal accounts continue to exacerbate insider risk-related data loss. There was a 62% increase in the use of unsanctioned apps – including the use of suspicious browser extensions. Meanwhile, 21% of communications tools (such as Zoom, Slack, Cisco Webex, etc.) involved the unauthorized transfer of data.
- HR departments continue to lead insider investigations. Seventy-two percent of all DTEX i3 investigation requests were initiated by HR.
- Most employees take data when they leave. Fifteen percent of ‘leavers’ take sensitive IP, while 76% take non-proprietary data.
- External attack frameworks can’t stop malicious insiders. Almost all (95%) of malicious insiders were able to avoid using MITRE ATT&CK techniques.
- A trusted workforce and good security hygiene underscore effective insider risk management. Sixty-eight percent of insider risk events were proactively resolved with follow-up security awareness training and corporate policy changes.
Methodology
The 2024 report is based on more than 1,300 insider investigations conducted by the DTEX Insider Intelligence and Investigations (i3) team throughout 2023 within DTEX’s global customer base. Distribution by headquarter location: Americas (56%), APAC (20%) and EMEA (24%). Distribution by headcount: 0-1k (20%), 1-10k (32%), 10-50k (26%) and 50k+ (22%). Download the report for the complete breakdown.
About DTEX Systems
As the global leader for insider risk management, DTEX unifies data science with AI and behavioral psychology to stop insider risks from materializing into data breaches. DTEX InTERCEPT™ cuts across Data Loss Prevention, User Activity Monitoring and User Behavior Analytics in one lightweight platform to enable mission-critical entities to safeguard their most sensitive assets. Combining rich telemetry across cyber, physical, and psycho-social sensors, DTEX surfaces unique early warning indicators to detect and deter true insider risks at unprecedented scale, with privacy by design.
To learn more about DTEX, please visit dtexsystems.com
Connect with DTEX: LinkedIn | Twitter | YouTube
Contacts