The Kroll Q3 2022 Threat Landscape report shows an increase in insider threat incidents, which reached the highest level to date in Q3, accounting for 35% of all unauthorized access incidents. Kroll has attributed the increase to the phenomenon known as the great resignation, where large numbers of employees are changing jobs following the COVID-19 pandemic.
These incidents commonly occur during the employee termination process and when employees take on a new position with another employer. Disgruntled employees may steal sensitive data from an employer with the intent of causing harm, or take valuable information to a new employer, such as proprietary data or contact lists. Insider threats are more difficult to defend against than external threats, where the network perimeter needs to be defended. With insider threats, individuals already have access to the network and sensitive data, oftentimes with highly privileged access. When they access and copy information it may not raise any red flags.
Given the increase in insider threat incidents, businesses need to ensure they have defenses in place that make it harder for employees to steal data and limit the amount of data that can be stolen. That means ensuring employees only have access to the parts of the network and data they need to complete their work duties, with access rights configured based on the principle of least privilege. It is also important to monitor employee activity to identify any suspicious actions, such as employees performing large data downloads or connecting unknown USB devices. Alerts should be generated when these activities are detected and they should be acted upon quickly. It is also important to stress the company rules to employees and explain what is and is not allowed.
In Q3, 2022, unauthorized access incidents accounted for 27% of all cyber incidents, up from 26% in Q2, and 17% in Q1, with email compromise the most common cyber incident, accounting for 30% of all incidents in the quarter – The same percentage as Q2, and a slight fall from the 32% in Q1. Ransomware attacks fell substantially in Q3, accounting for 25% of all incidents, down from 33% in Q2, and 32% in Q1. The fall in ransomware attacks has been attributed to the breakup of the Conti ransomware gang, one of the most prolific ransomware operators. Also, some ransomware threat actors are now favoring extortion without encryption and have dispensed with ransomware in their attacks. Malware incidents rose to 5% of all incidents, from 1% in Q2, and 3% in Q1, and Kroll notes there has been an increase in USB incidents and phishing attacks in Q3.
In Q2, healthcare was the most attacked sector; however, healthcare has now been overtaken by professional services, which accounted for 21% of all cyber incidents, up from 12% in Q2. Manufacturing accounted for 12% of incidents, followed by financial services with 11% of attacks, and healthcare fell to fourth spot, accounting for 9% of all incidents.