Our previous insider threat post shared details on types of insider threats and why they are a concern. In this post we share some examples and mitigation strategies.

Examples of Significant Insider Threat Incidents 

With rapidly evolving technology, the threat of an insider and the associated cost for containing and responding to an incident is growing. There have been some significant incidents where organizations not just suffered from brand damage, or loss of critical data, but also ended up bearing large financial losses. Some of the notable public cases are: 

1. The superior court of Quebec, Canada approved a $200.9 million CAD settlement against a large Canadian financial services cooperative over a data breach—the largest to date in the Canadian financial services sector. The data breach occurred between 2017 and 2019 and exposed the data of 4.2 million account holders. The incident was linked to the actions of a rogue employee who was siphoning the customer data silently for 26 months and passing it to an unknown person or persons, presumably for financial gain (more for subscribers in Mandiant Advantage).
2. A former senior developer at a New York-based technology company, which offers wireless networking products, solutions, and related platforms, misused his administrative access to steal confidential data and then attempted to extort the senior employees. This resulted in a fall in stock prices by ~20% and company’s market capitalization decreased by $4 Billion USD. 
3. The Associate director at an American multinational pharmaceutical and biotechnology corporation, uploaded 12,000 confidential files to a personal Google Drive account from her corporate laptop. The confidential documents included drug development data, trade secrets related to the COVID-19 vaccine and its studies. It was noted that the Director stole this data before a job move to a rival company. This resulted in brand damage, loss in competitive edge, and loss of proprietary data.
4. A former employee at a San Jose-based technology company that develops, manufactures, and sells networking solutions deployed code in AWS (Amazon Web Services) that resulted in the deletion of approximately 450 virtual machines related to a specific application. This action resulted in the organization spending approximately 1.4 million USD in employee time to restore the damage to the application and refunded more than 1.0 million USD to reimburse affected customers.

Mitigation Strategies 

As organizations across industry verticals are continuously at risk of being affected by insider threats, developing, and updating security measures to combat this activity is ideally a dynamic and continuous process. Again, these measures would vary depending on the size and industry vertical an organization belongs to and by no means this is a complete list, but certainly a good start: 

• Define an Insider Threat Program and align with risk management. An effective program requires the collaboration and integration of several cross functional components to include: HR, CISO, CSO, Legal, and operations.  
• Conduct a thorough insider threat assessment. A prerequisite to building an effective program is to properly identify the current state of capabilities to manage insider risk and uncover resulting gaps. 
• Employee education is one of the best ways to prevent and respond to a potential insider incident. As employees learn about the types of insider threats, in addition to why insider threats are of concern they will become better equipped to identify and inform the designated teams that respond to insider incidents. 
• Identify the “crown jewels” such as assets that are most prized and valuable. 
• Monitor user and device behavior and compare it to previously established baseline activity while keeping employee privacy in mind.  
• Network administrators, policy makers, and data owners should restrict opportunities for individuals to gain or leverage unauthorized access. 
• Data loss prevention (DLP) tools, while not foolproof, may identify and prevent sensitive data from leaving an organization. 

Mandiant Insider Threat Service Offerings 

Mandiant provides protection against insider threats for all stages of the attack lifecycle. Our purpose-built services assess your existing insider threat program and build effective security program capabilities to stop these threats in their tracks. 

We do this in three ways:  

1. The Mandiant Insider Threat Program Assessment is a point-in-time evaluation of insider threat risk and detection capabilities in your environment. 
2. Mandiant’s Insider Threat Program Development provides a customizable offering to develop Insider Threat capabilities for organizations of all sizes. The Insider Threat Program Development Service takes a phased approach to assess, design, enhance and fully operationalize Insider Threat capabilities within organizations. 
3. Mandiant’s Insider Threat Security as a Service provides an operational security program to ensure effective and continuous insider threat prevention, detection, and response. 

More details are available on our Insider Threat Security Services page.