Although created a few years before the world went into lockdown, something about the simple app-based game Among Us* truly tapped into the pandemic zeitgeist like nothing else. On the one hand, it was a community-based game that worked perfectly in our new Zoom-based reality — while on the other, it tapped into the mounting dread that we were becoming more disconnected from other people. We were seeing images that looked and sounded like our friends, coworkers and classmates, but how could we know for sure? Were they the people connecting to corporate resources and collaboration applications or others who they said they were? And were they there to do what they said they were there to do? The whole thing was, to borrow the game’s own slang, “kinda sus.”
For those who don’t know, Among Us is like the old board game Clue remixed with a paranoid 1970s sci-fi like Alien and adapted for the digital age. You play a crew member on a space vessel and dress in a spacesuit that’s identical to everyone else’s except for its unique color. You all go about the tasks of maintaining the vessel, but one or more of the crew members are imposters who are stealthily taking out their colleagues. Players must look for and debate clues and suspicious behavior to determine the guilty party. If the true imposter is ejected, everyone wins. If not, they all go back to square one.
Those in the cybersecurity space may not find Among Us to be exactly escapist, considering they play a real-life, high-stakes version of this game every single day. It’s one thing to deny access to a hostile party trying to pose as an authorized user, but it’s quite another to pinpoint a malicious agent who has every right to be in your system.
Insider Threats by the Numbers
The Ponemon Institute’s 2020 Cost of Insider Threats report found the average global cost of insider threats rose by 31% in two years to $11.45 million, while the number of total incidents nearly doubled (rose 47%) in the same time period.
The study explored three primary insider threat profiles: negligent insiders (those who unintentionally cause issues), criminal and malicious insiders (those who intentionally cause damage) and credential thieves (those who target login information to gain unauthorized access to applications and systems). Of these three profiles, the study found credential thieves cost organizations an average of $871,000 per incident — three times the cost of a negligence-driven incident. While most insider threats were non-malicious, accidental flubs, they represented a key vulnerability — and resource drain.
Meanwhile, the 2021 Verizon Data Breach Investigations Report (DBIR) found that 99% of incidents classified under the “privilege misuse” category were driven by internal actors. As the report states, “This pattern is an uncomfortable one — this is where the people we trust betray us.” The DBIR found financial gain to be the most common motivator at 67%, yet it revealed several other drivers: fun (17%), a grudge against the employer (14%), espionage (9%), convenience (3%) and ideology (1%).
The insider threat is very real, very hard to spot and makes balancing efficient daily workflows and stringent, always-on security a real challenge. It’s all fun and games until you find yourself alone in the electrical bay with an imposter — figuratively and/or literally, as the case may be.
The Insider Security Conundrum
Ironically (or not), one of Among Us imposters’ more popular “kill zones” is in the vessel’s security room. While crew members are in the room surveilling other areas via security cams, they can’t see what’s happening right behind them.
Working undercover is precisely how insider threats operate, and it’s what makes them so difficult for cybersecurity experts. By focusing on keeping the bad guys out, it’s easy to miss what’s right over your own shoulder. And these threat actors have a leg up — the most crucial thing outside attackers are looking to acquire is something that insiders already have, and that’s legitimate access. Using stolen credentials from other corporate identities, insiders can easily move throughout systems, elevating their access and worming further into privileged systems to steal data or use it in ways they shouldn’t.
Before devising a strategy for shoring up security measures against threats in your own house, it’s important to consider where this responsibility ultimately falls. Is it solely the purview of the info security teams? Or do HR and legal bear some responsibility since insider threats track back to hiring and potential employee vetting? The answer, like so much involved in the digital world, is the more communication and cooperation you have between departments and leadership, the better equipped you will be to uncover and mitigate threats from within. To revisit our Among Us analogy, the fewer dark rooms and unmonitored pathways you have, the less likely malicious actors will be able to move about undetected. Shining those lights is vital.
No Trust, No Sus
The rise of remote and hybrid work, cloud usage and increased reliance on alternate means of employee connection — the very elements that helped fuel the popularity of communal games like Among Us — has caused the scope and consequences of insider threats to explode.
In this new reality, you can’t simply separate the “good” guys from the “bad” guys because they often look alike. What’s more, sometimes a person will start out as one and eventually become the other. The solution is to trust no one until you can continuously verify that they are who they say they are. This means there are no darkened rooms, no hidden vents and far less uncertainty that when someone unlocks and enters a specific “room,” they are there to do their assigned task and nothing else.
This “Zero Trust” approach for every type of identity — human insiders, human outsiders, machine users, applications and even devices — goes a long way in proactively managing insider threats by limiting disruption, strengthening security resilience and protecting resources — particularly in hybrid cloud environments. The threat may be coming from inside the house, but the security measures in place go well beyond a few doors and walls.
Zero Trust would make Among Us far less fun to play for sure, but it makes operating in our new boundary-less world a whole lot safer. Tricking your friends with casual sabotage can be fun when it’s a game, but it’s much less so when millions of dollars and reams of sensitive data are at stake.
*Among Us is created and distributed by InnerSloth LLC