Insider Threat Deep Dive on IT Sabotage: Updated Statistics (Part 1 of 2)
IT sabotage has been an area of increasing interest and concern across government, research, industry, and the public sector. IT sabotage is defined as incidents wherein malicious insiders intentionally use technical methods to disrupt or cease normal business operations of a victim organization. What makes sabotage so compelling a concern is the notion that a few lines of code can put an organization out of business.
In the six years since the last blog post that provided a "deep dive" of IT sabotage was published, new incidents have been identified and recorded in the CERT Insider Threat Incident Corpus. Examples of IT sabotage incidents include the following:
- In 2012, a systems architect who was notified of their termination (after transmitting unauthorized material) used remote access to delete data and reset servers, then used on-site access to disable computer cooling systems. The victim organization, an energy firm, reported over $1 million in lost revenue and recovery fees.
- In 2012, a systems administrator rendered their former employer's network unusable in under 30 minutes. The victim organization, an information technology firm, needed 30 days to recover from the attack. If the insider's replacement had not made additional system backups before the attack, the organization never would have been able to recover its network.
- In 2013, shortly before a major holiday, a recently promoted technical staff member received a poor performance review from the victim organization, a financial institution. In retaliation, the insider used their on-site, authorized access to transmit malicious code outside of normal business hours. In less than two minutes, the insider caused 90% of the victim organization's domestic network to fail.
- In 2014, a disgruntled electrical engineer deleted all of the data on the devices issued to them by the victim organization, telling the victim organization, a military base, that the organization could not have access to the engineer's work products since they were no longer an employee.
There have also been some changes to the statistics we reported in 2010. As a result of sabotage incidents that happened since then, victim organizations experienced disruptions in business operations (119 incidents, 77.8%) and known reputational damage (10 incidents, 6.5%).
While 86% of insiders who committed sabotage held technical positions in 2010, today that figure is closer to 72%.
Of the 110 malicious insiders who held technical positions, only 19% held active administrator or privileged access at their organization at the time of the incident. An additional 20% of these technical insiders were former employees whose access had not be deactivated, enabling them to commit sabotage. The remaining insiders held authorized, unprivileged access (15%), unauthorized or revoked access (25%), or unknown access (21%).
The insiders who had unauthorized or revoked access in some instances compromised accounts to gain system access, which I will explore in Part 2 of this blog series. I will also include some IT sabotage lessons for organizations to learn. Further reading on real sabotage cases is available in the paper Chronological Examination of Insider Threat Sabotage: Preliminary Observations.