An insider threat is defined as a security risk that derives from within an organisation; and with the global cost averaging $11.45 million, it is critical that organisations address this issue. Frequently, the risk is attributed to malicious or negligent employees, as well as others close to the organisation, such as contractors and business associates, and think that employee monitoring software will prevent threats. Yet, this understanding of insider threats misleadingly unloads the blame on people; in other words, exposing them as the scapegoat.

About the author Javvad Malik is a Security Awareness Advocate at KnowBe4.

While there are people who do actively seek to harm an organisation, according to the Ponemon Institute’s ‘2020 Cost of Insider Threats Report’, they only account for 23% of insider threats. The majority of people can be easily trained to become an asset rather than a liability for the organisation.

Rather than blaming people then, why are we not shifting our attention to the root of the problem? That is to say, security software.

Whether embedded with vulnerabilities, corrupted by governments, or used as a channel to harvest data for a profit, the use of security software at present is riddled with problems.

Double agents in security

One of the largest and most commonly used security software providers, is the Czech-based company, Avast antivirus, with more than 435 million active users across 59 countries employing their antivirus protection. However, until the end of January 2020, Avast was also furtively gathering data from their users and selling that data on to third-party customers through their subsidiary, Jumpstart. In that sense, they have been working as a double agent against the very people who had entrusted them with their internet security and, specifically, their privacy.

(Un)Flawless

In many cases, the software itself is faulty. According to the Veracode SOSS Report Vol. 10 published last year, around 10 million flaws were found across 85,000 applications and 83% of those applications had at least one flaw in the initial scan. Out of those flaws, 20% were marked ‘high’ or ‘very high’ severity. It is precisely through exploiting such vulnerabilities that bad actors are able to infiltrate an organisation and access its data.

Complicating things further, the sheer scale and complexity of vulnerabilities makes it that much harder to verify if a system has or has not been patched. Indeed, the majority of data breaches (60%) occur because software vulnerabilities were left unpatched. The Equifax data breach of 2017 and the Marriott breach in 2018 are two exemplars of this occurring, collectively exposing over 640 million records.

Monkey business in government

In certain instances, the government gets involved, and not in a way that resolves infringements on privacy rights or apprehends the criminals behind attacks. Rather, they themselves are the offender. The attacks carried out by APT5, otherwise known as Manganese, on high-end enterprise VPN servers are a clear example of this.

Since August 2019, it was revealed that Chinese state-sponsored hackers performed internet scans in search of Fortinet and Pulse Secure VPN servers. They then attempted to exploit two vulnerabilities within these VPN servers to gain access to files without the need for authentication. In this way, allowing the hackers to acquire access to passwords and VPN session data from vulnerable devices. The Iranians are not too far behind either. A report by cybersecurity firm ClearSky revealed that Iran’s government-backed hacking units have made it a priority to exploit VPN bugs as soon as they become public.

Fortinet and Pulse Secure VPN servers are both widely used, with hundreds of thousands of customers. More specifically, Pulse Secure is popular amongst numerous Fortune 500 companies, including some of the largest technology firms and government agencies. Their use of a VPN server is, primarily, to protect their internal servers from unauthorized access. Yet, if they fail to do so, how can we then turn around and blame the employees when a breach occurs?

Phishing for a scapegoat

Finally, there is scareware. As is implied by the name, scareware is a form of phishing that gambles on your fear and perception of an impending threat. Through a pop-up ad, cybercriminals send warnings suggesting that your computer is infected with malware or that it is “running slow”. They then capitalize on your concern and panicked reaction to provide a ‘solution’.

However, the ‘solution’, a fake or a bogus update, enables the bad actor to access your data and install malware on your computer, perhaps even ransomware. In this type of scenario, it is easy to point the finger at the individual who clicks on the ad, but what about the security software providers who let it happen? Is it not the responsibility of security software programs to identify malicious ads and block them from popping up on the screen?

The real insider threat

In the end, we are left to wonder what the real insider threat is. All this time, people have been described as the weakest link and held responsible for exposing organisations to insecurity. Yet, looking at the evidence, the problems seem to stem from security software and their providers. Considering that they are the ones who are supposed to protect us, both individuals and organisations, from a cyberattack, it is rather ironic that they are, in reality, the problem.