Why Insider Threats Are Worse Than You Think: CrowdStrike Services Chief

As insider attacks get more insidious, partners have major opportunities to help customers adapt to the new threats, CrowdStrike’s Thomas Etheridge tells CRN.

While threats from internal employees have been increasingly taken seriously in recent years, insider threats continue to evolve and are now more sophisticated and frequent than many organizations realize, according to CrowdStrike’s Thomas Etheridge.

Risk from insiders, Etheridge said, has moved “to a whole different level” with recently discovered campaigns from groups such as Famous Chollima. This threat actor tied to North Korea has infiltrated U.S. tech companies through a brazenly direct route — by inventing fictional “employees” and getting them hired for remote positions at the companies.

In August, CrowdStrike revealed that Famous Chollima had managed to get its fake workers hired at more than 100 companies.

“It really is eye-opening to see the advancement of some of these threats,” said Etheridge, chief global professional services officer at CrowdStrike. “These threat actors are now able to simply be provisioned access to the infrastructure that they're trying to take advantage of, versus having to break in.”

Without a doubt, he said, “that’s pretty scary.”

Beyond these particular attacks, insider threats in general are also now a more-prevalent phenomenon than many organizations might realize. Etheridge pointed to Ponemon Institute research showing that the majority of surveyed organizations — 71 percent — were impacted by more than 20 insider-related incidents in 2023. Some reported seeing more than 40 insider incidents that year.

For organizations with global and remote workforces, it’s not hard to grasp why these issues are so widespread now. “Being able to monitor and understand where activity is good and beneficial and productive activity — versus what might be considered malicious — is getting harder and harder,” Etheridge said.

The ubiquitous use of SaaS-based applications is also a factor, given that it can be challenging to access logging and data from SaaS, he noted.

The advancement of insider threats prompted CrowdStrike to recently launch its new Insider Risk Services offering, which utilizes CrowdStrike threat intelligence and incident response capabilities to help counter insider attacks.

The services are ideal for delivery in tandem with services from partners, Etheridge said. While CrowdStrike can point out some of the gaps for organizations and share intelligence, many partners are “in the best position to help organizations actually take those gaps and fill them,” he said.

That can include helping organizations with developing insider threat programs and policies, and making sure that the customers are doing the right kind of auditing and monitoring for insider-related risks, Etheridge said.

Ultimately, when it comes to defending against insider threats of all types, CrowdStrike is looking to work with partners to “really take organizations to the next level and help them operationalize that,” he said.