Connect with us

Hi, what are you looking for?



Triple Threat: Insecure Economy, Cybercrime Recruitment and Insider Threats

A wave of layoffs, coupled with increased recruitment efforts by cybercriminals, could create the perfect conditions for insider threats to flourish

So far in 2023, layoffs have resulted in tens of thousands of tech workers losing their jobs. And that’s just in tech. Across sectors, employees are feeling the ramifications of economic uncertainty. Ransomware attacks are continuing and growing more sophisticated. And it’s not only the attacks that are growing more sophisticated; so are cybercrime recruitment efforts. All the while, the cybersecurity skills gap persists for most organizations.

All of these factors have the potential to create a perfect storm in terms of insider risks. Here’s what you need to be doing to stay protected against them.

The cost of insider threats

A cyberattack precipitated by an individual who is employed by a company or has permission to access its networks or systems constitutes an insider threat. Insider threats can be malevolent or unintentional, and they might come from current or former employees, business partners, board members or consultants.

Insider threats are increasingly prevalent and more costly for organizations. According to the Ponemon Institute’s 2022 Cost of Insider Threats report, insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third, to $15.38 million.

Employees who are laid off but still have access to inside resources can pose a risk; sometimes it’s unintentional, but sometimes it’s retaliatory. Bad actors are well aware of this and are bound to start trying to recruit from these ranks.

Cybercrime recruitment efforts are rampant

Advertisement. Scroll to continue reading.

As cybercrime becomes more organized and sophisticated, we’re seeing these syndicates behave much like legitimate businesses. They have organized departments, job roles and hierarchies, as well as recruitment strategies.

When the Conti ransomware group’s files were leaked in early 2022, it became clear that the organization was functioning very much like any other business. There was even a human resources lead and a recruitment director on the payroll. Also, we’ve observed evidence of bad actors actively seeking insider assistance for their goals, using phone calls, social media and email.

More recently, an international bust of the Russian-linked group behind Doppelpaymer

found that recruitment was a key part of the group’s strategy. The group was even offering paid vacation and requested references to verify past cybercrimes.

And on the Dark Web, cybercrime syndicates are ramping up their efforts, offering competitive salaries and benefits. Some jobs paid $20,000 per month, and some groups offer PTO, paid sick leave, bonuses and employee referral programs. Roles vary from full-time and part-time jobs to traineeships and partnerships.

How to stay vigilant and protected

To start addressing insider threats, ask these questions:

  • Are users trying to access files that they shouldn’t?
  • Are there attempts to move or copy confidential content?
  • Do you notice users logging on during non-business hours?
  • Can you create a baseline of regular activity carried out by suspicious users?
  • Can you mark user behaviors that deviate from accepted norms as alerts?
  • Are analytics tools receiving database logs?
  • Are there any automated responses in place to revoke access and stop data loss if data is compromised?

There is no quick fix to solve the insider threat problem. At a time when many businesses are struggling with visibility issues brought on by digital transformation and vendor sprawl, what’s needed is planning, using and reusing technologies as well as having a comprehensive perspective across your network. Reducing the risk associated with insider threats requires a multifaceted approach.

Employees should be trained to recognize and report suspicious activities. This should be part of everyone’s ongoing cyber hygiene training and must be conducted regularly, rather than treated as a one-and-done type of thing. This should go without saying, but any employee who is receiving special access to sensitive digital resources should undergo a background check.

From a technological standpoint, organizations and their security leaders should:

  • Use deception technology to quickly create a fake network that automatically deploys decoys and lures that are indistinguishable from the traffic and resources used in the real network. This is one of the most effective ways to address insider threats.
  • Segment the network to confine activity to certain areas. A zero trust approach may be particularly useful for operations that require greater discretion.
  • Encrypt data at all points: at rest, in use and in transit. Buy tools that can quickly and efficiently decrypt data.
  • Use configuration management tools to examine and rapidly spot devices that are not configured correctly.
  • Use solutions that can track user activity and behavior, including any infractions of policies, and use machine learning to spot anomalous behavior.
  • Use file tracking tools and keep an eye on data access and file transfers.
  • Enhance identity and access management (IAM), using multi-factor authentication (MFA), for example.

Defeating insider threats

The economic downturn and its subsequent layoffs did nothing to strengthen organizations’ security posture. On the contrary, the skills gap has only widened during a time of increasingly sophisticated cyber-attacks, both from without and from within. Defeating insider threats involves asking the right questions and finding the right solutions. Use the information outlined above to create or strengthen your defenses and keep your digital assets safe from insider attack.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.