In one of the most sobering presentations about the current state of security delivered during (ISC)² Security Congress 2021 , security expert Lisa Forte said no matter how many protective measures an organization takes, it can never achieve zero risk. Insider threats are always a possibility.

Forte, co-founder of Red Goat Cyber Security , used her keynote speech on the third and final day of Security Congress to drive home the point that insider threats have gotten harder to identify. Not only does technology make it easier to steal data, bad actors also can manipulate insiders into becoming unwitting spies. And that’s on top of those insiders who are willing collaborators.

To minimize risk, Forte said companies should take a number of measures, including training, monitoring, and instituting whistleblowing policies that encourage employees to report suspicious behaviors.

To illustrate how corporate spies operate in the digital age, Forte told the story of a U.K. scientist, John Buckingham, who was working at a lab and ended up sharing privileged information with his Bulgarian girlfriend, Sveti. The girlfriend turned out to be a spy who persuaded Buckingham to upload what was supposed to be a video of her dance performance so he could give her feedback.

After attempting to download the MP4 file with his iPhone, Buckingham was instead talked into using an older computer in his lab, which presumably had fewer malware protections than more updated machines. “Unbeknownst to John, the video was perhaps a little less MP4 and a little more malware,” Forte said.

The lab systems became infected, Buckingham was interrogated by his organization’s security team and Sveti disappeared. Before being tricked into infecting the lab, he had given her plenty of data and diagrams along the way about his work because she had expressed so much interest. “At no point at all throughout the entire thing did it ever cross his mind the relationship wasn’t real,” Forte said.

It all started with a LinkedIn post that Buckingham wrote, to which Sveti posted a comment in reply. He was intrigued by her reply and sent her a private message, and that’s how their relationship started. This illustrates how subtle cyber spies can be. They targeted Buckingham, who was recently divorced, and created a character – Sveti – to appeal to him and establish a rapport.

“It’s often very, very subtle. In this instance, she commented on one of his LinkedIn posts, and he messaged her,” Forte said.

Social Media Concerns

Cyper spies often use social media profiles to find their targets, Forte said. Initially, spies would create fake accounts to pursue their nefarious goals. But platforms have gotten better at pulling down those accounts, especially during the pandemic, so cyber spies have resorted to hacking real accounts and using them for their work.

“If you can compromise an account and use it for nefarious purposes, it’s much less likely that social media platforms will pull them down as opposed to new accounts.”

The problem has caught the attention of the U.K.’s MI5 and other intelligence agencies around the world. The British government’s Centre for the Protection of National Infrastructure has even launched a campaign called “Think before you link.” The program aims to prevent users from falling prey to bad actors who manipulate them into becoming unwitting collaborators.

Intentional Insiders

While Buckingham was an unwitting spy, that’s not always the case. Forte pointed out that employees who feel unhappy and mistreated can become insider threats.

The Soviets, she said, understood this. That’s why in the 1940s they founded Ozersk, a secret city that offered its 100,000 residents a veritable paradise on earth even though they were essentially prisoners who could not leave the city or contact anyone outside its walls. The city was the nucleus of the Soviet nuclear research program. Residents were happy and loyal because the Soviet government delivered them three important messages:

• You are being treated well.
• You will not find anything better outside.
• You are special and you are valued.

The city still exists and its residents remain fiercely loyal, even though they are still essentially prisoners. And because of a nuclear facility inside city walls that leaked radioactive material, Ozersk has a higher level of contamination than Chernobyl, Forte said.

“When people don’t feel happy, when people don’t feel content, they don’t have that individual investment in the company or in the city or in the country to which they belong. People will accept some pretty Draconian measures, and they are quite happy to put up with that and keep the secrets, as long as they feel valued and they feel they got a good deal,” Forte said.

Implicit in that message is that organizations need to find ways to keep their employees happy and valued to discourage any temptation to become willing insiders. The risk is significant and, Forte noted, it’s even greater now with so many more people working from home.