If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up call

(Image credit: Getty Images)

CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises slacking on this growing attack method.

The admission by the company follows initial reports from BleepingComputer, which noted that screenshots had been shared via Telegram by the Scattered Lapsus$ Hunters threat group.

The hackers behind the scheme told the publication they’d paid the insider a fee of $25,000 for their involvement.

Data shared included authentication details that were already locked down by CrowdStrike as it had detected the insider's activity. The hackers were also seeking CrowdStrike's reports on threat groups they were affiliated with.

While CrowdStrike admitted the incident took place, a spokesperson for the company told ITPro that no systems were breached and customer data remains secure.

"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," the spokesperson said.

"Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."

Chris Linnell, associate director of data privacy at Bridewell, said the incident highlights that such incidents are difficult to protect against.

Insiders already possess legitimate credentials and an innate knowledge of internal systems, meaning they’re able to bypass security controls undetected and wreak havoc.

"Malicious insider activity represents one of the most costly and challenging cybersecurity threats for organizations," he said.

"Unlike external attacks, these incidents exploit trust and authorized access, making detection and remediation far more complex.

Don't get caught by insider threats

Insider threats have become a recurring talking point in recent years, with security industry stakeholders warning about a sharp increase in these incidents.

Arctic Wolf's 2024 State of Cybersecurity report, for example, showed that 61% of organizations had spotted insider threats in the previous year — with 29% of those leading to a leak.

A similar report from Exabeam earlier this year revealed that two-thirds of European security professionals now see insider threats as a bigger risk than external threat actors.

There's a full spectrum of insider risks, Linnell said, ranging from inadvertent mistakes to deliberate acts of theft or sabotage, which we know can cause havoc for businesses.

In September, ITPro reported that fintech FinWise warned customers their data may have been leaked after an insider attack by a former employee.

Back in March, a "disgruntled" employee was convicted of "causing intentional damage to protected computers" after deploying a so-called "kill switch" on his former employer's networks.

High-profile incidents such as these should serve as a warning. However, Linnell noted that despite repeated warnings many enterprises still often disregard the threats they face.

"Recent cases highlight how motivated insiders can compromise sensitive data or systems, sometimes under pressure from organized crime or state-sponsored groups," he said.

"Despite this growing threat, many organizations still lack formal insider threat programmes and only identify issues after harm has occurred."

How to address insider threats

To mitigate the risk, Linnell recommended a layered approach combining technical measures such as behavioral analytics to watch for anomalies alongside data loss prevention tools to monitor sensitive data and network activity.

"Organizations should enforce strong access controls, including the Principle of Least Privilege, multi-factor authentication (MFA), and regular access reviews," Linnell added.

"Advanced measures like dynamic watermarking and screen capture blocking can deter and trace leaks, while adaptive protection technologies can automatically revoke access when abnormal behaviour is detected.

"Insider risk is not a problem that can be solved with a single tool — it requires a holistic, proactive strategy to protect sensitive data and maintain trust."

But it's not all about tech, he noted. Companies need to manage their people via clear policies with consequences, background checks during recruitment, and rescreening for high-risk roles.

Background checks and rescreening are a particular area of importance given the rise of fake IT workers. A host of businesses globally have been impacted by these types of attacks, which have become a hallmark of North Korean state-sponsored cyber crime activities.

These attacks typically involve state-linked individuals securing IT roles at companies, after which they begin extracting sensitive corporate data or infecting systems with malware.

The growing number of attacks has prompted advisories from law enforcement and big tech companies such as Google, which earlier this year warned hackers are targeting enterprises in both the United States and Europe.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.

Nicole the author of a book about the history of technology, The Long History of the Future.