Black hats are baddie hackers, white hats are goodies, grey hats will sell IP to kids in hoodies
Survey says one in five security pros have been asked to screw over their employer
The threat from rogue insiders, for so long dismissed as scare stories, has quietly bubbled back on to the official worry list.
High-profile cases – like that brought against Anthony Levandowski over IP he was accused of stealing from Google's Waymo car division, and Jiaqiang Xu, who got five years in the clink for stealing source code belonging to IBM – have helped to bring these fears back to the fore.
Even the US government has been caught out – three employees of the Department for Home Security were accused of stealing a computer containing the personal files of 246,000 agency staff.
For years, the dominant narrative was the spiteful employee run amok, either spilling or stealing data (the Morrisons worker who leaked its entire employee database in 2014), or just plain messing with the network (the admin who caused chaos at Gucci in 2010).
It's now dawned on organisations that it's the quiet rogues you never hear about – let's call them the "exfiltraitors" – that represent a threat potentially as bad as anything from the outside.
A CA study (PDF) earlier this year reckoned that 47 per cent of insider threats stemmed from maliciousness of one sort of another, with the remainder caused by carelessness. The single biggest factor was the abuse of privileges, precisely the thing that coders, admins and managers need to do their jobs.
Fade to grey
The idea of abusing privileges brings us to a specialised category of exfiltrating insider, the so-called "grey hat". These are engineers or coders who know a lot about a company's IP, assets and weaknesses, and have the entrepreneurial skills to understand that this knowledge is worth something.
Strictly speaking, a grey hat is just a black hat hacker who uses their day job to enable their nefarious activity, but this month's Malwarebytes-sponsored Osterman survey of 900 security pros across the UK, US, Germany, Australia and Singapore found that it can be incredibly difficult for companies to spot the difference.
Winner, Winner, prison dinner: Five years in the clink for NSA leakerREAD MORE
Globally, 4.6 per cent of respondents believed a colleague fell into the grey category, which rose in the UK to an alarming 7.9 per cent. This sounds bad until you read that 12 per cent of respondents said they had considered black hat activity during their careers, with more than one in five claiming they had been approached to carry out such acts.
When asked which security threats had affected their organisations in the previous 12 months, intentional insider data breaches were mentioned by almost one in ten.
"Our research discovered that the proportion of grey hats increases with the size of the organisation. For example, while grey hats represent 2.8 per cent of IT security professionals in small organisations, this figure increases to 4.2 per cent for mid-market organisations and 5.7 per cent for large ones," wrote Osterman's researchers.
In the UK, 7 per cent believed it was easy to get involved in grey hat activities without being caught, particularly those in mid-market organisations less likely to have monitoring or controls.
Barely one in ten in the UK agreed with the statement that "there is more money to be made in fighting cybercrime than being a cybercriminal". Money wasn't the only motivation for turning to the dark side. Other reasons mentioned included that professionals might do it for revenge on their businesses, for the challenge, or for political or philosophical reasons.
"We are seeing more instances of the malicious insider causing damage to company productivity, revenue, IP and reputation," said Malwarebytes' CEO, Marcin Kleczynski.
Sceptics will observe that security companies have been banging on about insider threats for years, so does any of this stand up beyond the general observation that employees occasionally go bad?
According to an unusual warning by the CEO of large US defence contractor Raytheon, Thomas A Kennedy, a new factor for today's grey hat economy is geopolitical rivalry.
In a recent Fortune article, Kennedy drew attention to "collection requirements", a term used to describe catalogues of tech IP that attract the highest prices on the black markets used by nation states to grab each other's secrets.
"Do any of your employees have such handbooks? And if they were stockpiling and exporting sensitive data, would you know before it was too late?" he wrote.
The End for Fin7: Feds cuff suspected super-crooks after $$$m stolen from 15m+ credit cardsREAD MORE
State-sponsored IP theft has become a business, the threat from which could be internal just as easily as external.
"A knowledgeable insider using a new generation of hacking tools could steal terabytes worth of valuable IP in a matter of minutes," Kennedy said. "Your IT teams should know which sections of your networks are off-limits and monitor for attempts at inappropriate access."
It's no longer journalists and security companies writing about malicious insiders – CEOs now feel the need to advertise the threat from their own employees to the world, a strange thing to do on the face of it. Or perhaps the message isn't only for investors but is directed at employees who might think about leaking IP.
In a few short years, insider threats have gone from being an abstract threat to worry the IT teams to a business big enough to concern – and define – many businesses. The ones that will live to tell the tale are those that grasp that the only company without an insider threat is the one with no employees. ®
Sponsored: Becoming a Pragmatic Security Leader