Electric car manufacturer Tesla is facing a nightmare insider attack scenario for which too many companies today fail to prepare. Tesla CEO Elon Musk admitted this week that an employee managed to intentionally wreak havoc with the software code that underpins the company's manufacturing system. The fallout has resulted in "quite extensive and damaging sabotage to our operations," according to Musk in a company-wide email that was leaked to CNBC two days ago.
This particular case of sabotage at Tesla comes at a very precarious point in the company's progression. It's getting hammered by investors for a number of reasons, but its inability to produce new cars at the pace of customer demands is toward the top of the list. An insider attack like this only further intensifies these problems—not only through the disruption in factory production but also the hit the brand takes after allowing an insider enough access to damage mission-critical systems.
But there's really no good time for sabotage at any business. As businesses increasingly depend upon complex software to run their factories and produce salable products, such events can potentially put any company at risk of substantial losses and even push them into existential crises similar to Tesla's.
According to the 2018 Cost of Insider Threats report from Ponemon Institute, security events caused by insiders cost organizations as much as $26.5 million in the past year, with an average cost of $8.7 million. The study found that all types of insider incidents—credential theft, malicious attacks like the Tesla sabotage, and negligent insider—are on the rise. The incidence of malicious insider attacks has gone up by about 60% in the past two years.
Meanwhile, organizations consistently underestimate the potential risk and impact of insider threats on their business. Another study, the 2018 Insider Threat Report from Cybersecurity Insiders, found that only about 3% of organizations believe that an insider attack would cost them more than $2 million. Juxtaposed against Ponemon's numbers, these estimates show that enterprises may not be properly calculating their insider risks.
Which probably explains their lack of process and tooling to detect and respond to insider attacks. The Ponemon report showed that it takes organizations an average of 73 days to contain an insider incident. In sabotage situations like the one that hit Tesla, that's a long runway for an insider to do tremendous amount of damage. This big window is likely attributable to a lack of maturity in many organizations when it comes to monitoring users and the systems they interact with. The Cybersecurity Insiders study shows that while 90% of organizations agree that it is necessary to monitor and profile how insiders are accessing sensitive data, just 29% of organizations use automated tools to monitor user behavior 24x7. Similarly, only 42% of organizations inventory and monitor key assets and system resources, and just 47% monitor access to sensitive data.
And make no mistake about it, insiders are in corporate systems doing damage—willfully or negligently—on a daily basis. According to the 2018 Insider Threat Intelligence report from Dtex, 72% of assessments in enterprise environments unveiled the use of high-risk applications on corporate systems—including hacking tools--and 60% of assessments found that users were actively attempting to bypass security measures through private or anonymous browsers and research.
Meantime, the experts at PwC report that 44% of data breaches can be laid at the feet of insiders. In Tesla's case, the sabotage was allegedly carried out by an employee disgruntled about being passed up for promotion. Interestingly, PwC reports that 90% of insiders didn't exhibit any kind of workplace behavior that would throw up red flags prior to carrying out their attacks.
While Tesla provides a particularly dramatic example to highlight the dangers presented by these numbers, it is hardly the only example we've seen in 2018. In fact, the past few months have been full of other illustrations of the damage that insiders can inflict and the risks they pose when given too many permissions and not enough monitoring.
For example, just last week, the U.S. Interior Department's Inspector General released a report stating that two very valuable dams in the U.S. are "at high risk from insider threats" due to egregious problems in security at the most basic levels, such as failing to follow the rule of least privilege. And several months ago, it was found that a former employee of SunTrust bank tried to provide a criminal third-party with a motherlode of bank customer information. The employee attempted download and pass off information about 1.5 million customers—including names and account balances.