Most employees who carry out inside hacking attacks on their company could have been spotted in advance, according to a new report produced by for the US Department of Homeland Security.
The Insider Threat Study (ITS), researched by The Secret Service National Threat Assessment Center (NTAC) and the Computer Emergency Readiness Team (CERT) using data collated from public sources, notes that 97 percent of those carrying out malicious acts against their companies had acted in a "concerning manner" during their work day.
Almost a third of these individuals also had a previous arrest history for acts of violence, drugs abuse and crimes such as fraud. Ninety-six percent were males.
Fifty-seven percent of employees carrying out inside hacks were seen by colleagues as being "disgruntled" before committing the acts, which were almost always planned in advance. In many cases, other employees and family members had some idea that the individuals were about to attack company systems.
The report discusses examples of real-world incidents where employees have taken out their ire on an employer or former employer by causing a wide range of destruction, from deleting critical files to corrupting or amending data.
The study states the obvious when it concludes that most attacks are motivated by anger at the employer or former employer, but it is still surprising the lengths to which some people will go to cause damage to company systems. Common triggers included being made redundant, being demoted or being upbraided for a breach of company policy.
One of the issues raised by this study is that taking away access to systems is often not enough to avert an attack as most attackers have set up an alternative means for accessing a network. In a surprising quarter of cases, however, companies had not bothered to remove privileges from an individual before dismissal, allowing an attack to take place at a later point in time.
Despite the preponderance of disgruntled males, the report holds back from identifying attackers using conventional stereotypes such as age and appearance. Although it only alluded to, one can infer from the statistics that there are enough atypical insider attacks where motive is unclear for that to function as a safeguard. Attackers could also come from any level of the company, including techies, mid-level workers and even management and executives.
What is clear is that companies need to be more careful to whom and how quickly they give access to company systems - especially when dealing with contractors working for third parties. They also need to assume that a certain number of employees will eventually launch insider attacks and have a plan for disaster recovery. The culture of a company needs to allow for other employees to report odd behaviour in confidence before attacks occur.
Regardless of prevailing fashion, the next decade is likely the to see an increasing emphasis on monitoring potential attackers directly rather than simply, as at present, putting up barriers using security technology. This could turn out to be the theme of the age - watching people for changes in behaviour or activity.