Blog- Part 1: COVID-19: A Field Day for Insider Threats?

Picture: Avi Richards


  • The intensified geopolitical cold war and especially the hunt for vaccines increase the risk from espionage which is exacerbated by the organizational changes (redundancies) and working conditions. This is a perfect storm for nation-state actors trying to reach insiders. 
  • Significant pressures on employees cause them to make mistakes, including losing data, and, most importantly, have consequences for their personal lives.


The protection of people, data, processes, physical assets and reputation is pivotal for organizations, especially during the ongoing COVID-19 pandemic. How does the COVID-19 crisis impact insider threats and risks? We argue this crisis significantly increases insider threats and risks on all levels. This article is the first of a two-part blog series and will address various threats stemming from the COVID-19 crisis. The next blog will focus on the solutions. We start with the wider geopolitical implications of the COVID-19 crisis and how this amplifies insider threats for states and organizations alike and then move to the threats from people within organizations.

An insider threat is posed by an individual who has or had authorized access to an organisation’s network, system, or data, who, wittingly or unwittingly, potentially causes harm to the organisation. The problem of insider threat impacts organisations across all industries. Although the attack methods vary, the primary types of insider acts — theft of intellectual property, sabotage, fraud, and espionage—continue to hold and are increasing with the expanding use and reliance on digital technology. 

Exacerbating geopolitical tensions and the battle for sensitive data

In a profoundly fragmented and polarized world, the COVID-19 pandemic has further exacerbated the hostile geopolitical landscape. This virus and the grave threat it poses to nations’ public health, economies, and national security has pitted geopolitical rivals against one another in the scramble for a vaccine. The US and China are locked in competition for supremacy which many in Washington fear they may be losing as China has invested heavily in building capabilities and acquiring data. Washington’s and Beijing’s bitter exchanges about the causes of the initial outbreak of COVID-19 shows how this pandemic fuels geopolitical rivalry. 

Although the COVID-19 pandemic also poses an opportunity to reaffirm international cooperation, the recent alarming trends in which Western universities, medical/biotech firms and research institutes working on a potential vaccine are targeted in sophisticated cyber-attacks point to a geopolitical zero-sum game. As nations strive to be the first to acquire a vaccine against COVID-19, the need for organizations and employees in these sectors to be vigilant about data protection is more important than ever.

Nation-states and their intelligence agencies leverage an ever-increasing complex constellation of hacking capabilities, combining complex data sets, AI and HUMINT to exploit vulnerabilities in their adversaries’ critical infrastructure and industries, sow disinformation, subvert and compromise cybersecurity and steal secrets. The disruptive nature of this pandemic has overshadowed many other national security risks and compels nations and organizations to understand how the new reality has elevated the risk of insider acts from espionage and data theft. However, this global crisis does also provide opportunities for intelligence agencies to leverage or corrupt insiders. Who will be the first to adapt to the new reality and obtain a strategic advantage? Conversely, in line with British spy agencies foreseeing a more assertive China after the COVID-19 pandemic, governments are increasingly expected to adopt a more realistic view of their relationship with China and reassess their dependency on the Chinese industry, particularly in strategic areas of the economy like hi-tech research and production, digital communications and AI. 

Vast opportunities for hackers and insiders

Malicious (nation-state) hackers thrive on chaos and confusion, and the global COVID-19 crisis represents a perfect storm. For insider threats in particular, the crisis has given rise to three key conditions that have placed actors in an advantageous position. 

  1. Exploiting additional privileges. Many companies have been forced to promptly adopt solutions allowing staff to work remotely before performing a security risk assessment and providing additional privileges and accesses to be able to continue (team) work. This allows existing malicious insiders to exploit further data sources.
  2. Reduced vigilance. Most organizations were not prepared for remote working or had any policies on telecommuting in place. Security awareness programs often fail to address how to work remotely. The result? An increased likelihood that untrained employees unintentionally share and leak information via insecure channels or malicious sites. In addition, the familiar surroundings and safety of one’s home can reduce the vigilance of employees handling confidential data, such as privacy-sensitive data, as well as business secrets even further. In turn, this exposes organizations under the jurisdiction of GDPR and other privacy regulations to considerable fines and penalties if proper handling is not assured.
  3. COVID-19 phishing expeditions. Phishing attacks through social engineering have been taking advantage of workers’ concerns about COVID-19 and their need to learn more about the virus and helping others in this time of need. Threatpost recently highlighted how COVID-19 phishing emails evade Proofpoint and Microsoft Office 365 advanced threat protection (ATP) solutions. These emails may purport to be from the World Health Organization or other health information centres, increasing the likelihood of users clicking. Once attackers have gathered insider credentials, they can access those resources a user is permitted to use. And they will, especially if the information is interesting.

These unique circumstances of changes in working conditions increase the risk of both unintentional and malicious insider acts. 

Employees and their livelihoods

This brings us to the very heart of the insider threat: the trusted employee (or contractor, intern etc.) with access to the organization. Employees are continuously required to conduct their work under extraordinary circumstances with many uncertainties. COVID-19 represents a wide range of personal challenges, like fear of the virus itself, personal loss, prolonged social distancing and isolation, care for children or the elderly, uncertainty about the future, potential financial insecurity and the risk of economic deprivation that will compound the impact on the individual employee. The virus has already taken a huge toll on the mental health of employees.  

According to a US study, more than 60% of employees say their mental health affects their productivity. A McKinsey survey identified widespread distress, exacerbated even further among those whose jobs have been adversely affected by COVID-19 (figure 1). In the UK, researchers found a rise in depression and anxiety a day after the lockdown was announced. Various European organizations representing health professionals have urged countries to ensure adequate working conditions. They recommend organizations ensure that staff have breaks and time off between shifts and be “able to carry on in what could be a long-term global crisis”. 

Figure 1

Such conditions contribute to unintentional insider threats, as illustrated in the previous section. Distracted attention, increased levels of stress and a lack of opportunity (e.g. the tools) for safe and secure work practices are important factors in the cyber secure behaviours employees can exhibit in current circumstances.

For those intentional or malicious insiders who are currently embedded in organizations and enjoy continued (or possibly even increased) access to these organizations, this can be a field day. Organizational distraction combined with less visibility of employee behaviour can provide the perfect opportunity for continuing and even intensifying undetected (data) theft. In light of the COVID-19 crisis, it is interesting to know what particular and/or additional risks regular employees, insiders, could pose. Can the unique circumstances constitute a tipping point to start engaging in all forms of insider acts, like data and financial theft or insider trading? According to the Critical Pathway to Insider Risk, personal, professional and financial stressors contribute to or increase levels of insider risk. With hindsight, exposed intentional insiders always refer back to these stressors as personal tipping points. 

Such stressors are clearly emerging from the COVID-19 crisis. In addition to stressors, personal predispositions and vulnerabilities also play a key role as well. Preventing insider acts requires monitoring behavioural cues for signs of concerning behaviour, detecting early warning signals, and adequately responding to signals. These can create a substantial challenge for organizations whose employees are now working from home, but performing these actions are more important than ever. The focus should be on employees that could hurt the organization and employees that may hurt themselves. A view on your employees with this duty of care in mind is crucial these days.

For hostile intelligence services looking for recruitment, this can also be a field day. Many organizations are now going through heavy personnel reduction processes. Among the unemployed are tens of thousands of workers in industries being targeted by those hostile intelligence agencies, such as tech, aerospace, energy, and oil and gas. Linkedin has always been an important source for recruitment (think of Kevin Mallory for the Chinese intelligence services) and will be a fantastic source to shop for recruits. As a reminder here, similar to the Mallory case, you don’t have to remain inside an organization to share information that’s still in your head.

In conclusion

The COVID-19 crisis will have a permanent impact on the world and the geopolitics by which it is governed, the way we do business, and how we work together. We have highlighted two broader categories of threats. Firstly, the intensified geopolitical cold war and especially the hunt for vaccines increasing the risk from espionage which is exacerbated by the organizational changes (redundancies) and working conditions. This is a perfect storm for nation-state actors trying to reach insiders. Secondly, Significant pressures on employees cause them to make mistakes, including losing data, and, most importantly, have consequences for their personal lives.

This requires a new focus on appropriate measures to conduct safe, secure and continued business in a profoundly more turbulent environment. In our next blog, we will provide ways to prevent, detect, respond and recover to and from the above-mentioned insider threats and risks to organizations.

We welcome your feedback and suggestions. 



Related Blogs