Insider Threat: Intelligence Snapshot for NZ Organisations
Key Takeaways
Insider threats pose a HIGH level of risk to New Zealand organisations across multiple sectors.
Recent incidents highlight the diversity of insider threats, from negligent to malicious.
Distrust in the government, conspiracy beliefs, and financial distress are emerging as significant motivators for insider threats.
The evolving nature of work and advancing technologies, particularly AI, are introducing new vectors for insider threats.
Critical sectors, including healthcare, law enforcement, and border control, have been compromised by insider threats.
Recent Incidents
Police Data Breach (2023): A manager for the crime reporting line in Auckland accessed confidential police files and shared them privately, leading to their publication on social media. This incident underscores the risks associated with unauthorised access to sensitive data by trusted employees in law enforcement.
Operation Selena (2021): A joint Customs and Police investigation resulted in at least 24 people being charged, including individuals connected to ports and airports, for drug smuggling activities.
Auckland Police Officer Data Breach (2019): A police constable pleaded guilty to illegally accessing the police's National Intelligence Application (NIA) system for dishonest purposes over 13 months. The NIA contains nearly two million New Zealanders' sensitive personal information, including criminal histories.
Health NZ Te Whatu Ora Data Breach (2023): A former employee allegedly accessed and leaked sensitive COVID-19 vaccination data. The unauthorised data publication affected at least 12,000 people, primarily COVID-19 vaccinators.
Ports of Auckland Drug Smuggling (2021): A container with 30 kg of methamphetamine was smuggled through the port with the assistance of insiders, highlighting the vulnerability of maritime borders to insider threats. This incident underscores ongoing efforts by criminal to recruit "clean skins" with access to restricted areas.
Air New Zealand Baggage Handlers Methamphetamine Smuggling (2020-2022): Multiple incidents involving baggage handlers at Auckland Airport smuggling large quantities of methamphetamine were uncovered, with one case involving 118kg hidden in a flight's bulkhead. hese cases demonstrate the persistent risk of insider threats in airport security and the potential for large-scale drug trafficking operations.
Note: These incidents represent publicly disclosed cases from open sources.
Threat Assessment
Overall insider threat level: HIGH. It is highly likely that most medium to large organisations in New Zealand will face some form of insider threat incident within the next 12 months. There is a realistic possibility that at least one major insider threat incident with national implications will occur in a critical sector within the next 24 months.
Negligent insiders pose the most frequent threat. It is probable that the shift to remote and hybrid work models has increased the frequency of unintentional data exposures by employees. Many of these incidents likely go undetected or unreported, masking the true scale of the problem. Organisations with inadequate security training programs are at substantially higher risk.
Malicious insiders, while less common, are assessed as probable to cause the most severe damage when incidents occur. Financial gain remains the primary motivation, followed by revenge or ideology. The current economic climate and potential job insecurities could increase the risk of employees turning to malicious insider activities.
There is a realistic possibility that conspiracy-motivated insiders represent an emerging threat type, particularly in sectors dealing with sensitive or controversial information. The spread of misinformation and conspiracy theories online is contributing to this threat. Sectors such as healthcare, scientific research, and government agencies are at higher risk. Traditional insider threat detection methods may be less effective against this type of insider.
It is highly likely that organised crime groups will continue attempting to recruit insiders, especially in border control and transportation sectors. Economic pressures may make some employees more susceptible to recruitment. Sectors with access to valuable goods or sensitive information (e.g., ports, airports, financial institutions) remain primary targets.
The evolving nature of work and AI technology is likely to introduce new vectors for insider threats. AI technologies present both new opportunities for threat detection and novel challenges in insider threat management. There is a realistic possibility that malicious insiders could leverage AI tools to enhance their capabilities, making their activities more sophisticated and harder to detect.
Mental health struggles and financial distress are likely exacerbating insider threat risks. A 2022 survey found that nearly half of Kiwis said distrust was their default emotion. This distrust, particularly in government and media, is driving some individuals to alternative information sources, some of which may promote conspiracy theories that foster further distrust.
Government efforts to counteract conspiracy information may inadvertently reinforce conspiracy beliefs in some individuals, potentially increasing the risk of insider threats. It is assessed as highly likely that organisations dealing with sensitive or controversial information will need to develop strategies to address the impact of widespread distrust and conspiracy beliefs on their insider threat risk profile.
Recommendations
Implement comprehensive insider threat programs: Develop programs that address both intentional and unintentional risks, including regular risk assessments, employee training, and technological solutions for monitoring and detection. Ensure these programs are adaptive to emerging threats and changing work environments.
Enhance security awareness and organisational culture: Foster a security-conscious culture with role-specific training on emerging threats, including conspiracy-motivated insiders. Encourage reporting of suspicious activities without fear of reprisal. Include education on key indicators of potential insider threats, ensuring employees know what to watch for and how to report concerns.
Leverage AI and advanced technologies: Develop strategies to leverage AI for threat detection while implementing safeguards against AI-related vulnerabilities. Invest in AI-powered anomaly detection systems and implement strict access controls for AI systems and training data.
Strengthen access controls and monitoring: Implement the principle of least privilege and regularly audit access controls, particularly in remote and hybrid work environments. Establish robust off-boarding procedures for departing employees, including immediate access revocation and monitoring of data transfer activities prior to departure.
Establish collaborative information-sharing mechanisms: Partner with trusted organisations and relevant government agencies to gain a more comprehensive understanding of the insider threat landscape beyond publicly reported information.
Address employee well-being and concerns: Enhance mental health support and financial counselling services. Develop communication strategies that address employee concerns and foster trust, particularly in sectors dealing with sensitive or controversial information
Conduct regular threat assessments: Regularly evaluate the organisation's insider threat risk profile, considering broader societal trends such as trust in institutions and the prevalence of conspiracy beliefs. Include assessments of behavioural indicators and work pattern anomalies that might signal potential insider threats.
Implement a "See Something, Say Something" policy: Encourage employees to report unusual behaviours or security violations, emphasising that early reporting can prevent major incidents and help colleagues who might be struggling.
Tailor strategies to the New Zealand context: Develop approaches that address the unique challenges of New Zealand's workplace culture, including the tendency to minimise security risks and the "it doesn't happen here" mentality.
Continuous improvement and adaptation: Regularly review and update insider threat mitigation strategies to address evolving threats, technological advancements, and changes in work practices.
Methodology
Insider threat levels are assessed by evaluating the current intent and capability of individuals with authorised access to potentially harm the organisation. Notably, insider threats inherently possess an elevated capability due to their existing access, raising the baseline threat level. The assessment thus focuses heavily on gauging intent (desire and confidence) and the specific extent of access and knowledge. In the New Zealand context, this evaluation considers local socio-economic factors, cultural nuances, and recent events that might influence insider motivations, alongside historical incidents and expert insights.
This report provides a snapshot of the general insider threat landscape, guiding organisations to conduct more detailed, tailored evaluations based on their unique risk profiles and operational environments.
Threat rating definitions
Insider Definition
An insider, in the context of organisational security and threat assessment, refers to an individual who has or has had authorised access to an organisation's networks, systems, data, or physical facilities. This access is typically granted due to the individual's role as an employee, contractor, or business partner. Key aspects of this definition include:
Current or Former Access: An insider may be a current member of the organisation or someone who previously had access rights
Legitimate Authorisation: The insider's access is or was officially sanctioned by the organisation, distinguishing them from external threat actors.
Privileged Knowledge: Insiders possess intimate knowledge of the organisation's operations, systems, and potential vulnerabilities.
Varied Roles: This includes full-time and part-time employees across all levels, temporary staff, contractors, consultants, and even trusted third-party vendors or partners.
Physical and Digital Access: The insider's access may encompass both physical spaces (e.g., offices, secure areas) and digital assets (e.g., networks, databases)
Potential for Harm: Due to their position of trust and access, insiders have the potential to significantly harm the organisation, either intentionally or unintentionally.
Insider threats can manifest in two main categories:
Malicious Insiders: Intentionally misuse access for personal gain or to harm the organisation.
Unwitting Insiders: Unintentionally pose risks through negligence, accidents, or manipulation.
The insider's unique position of trust and access makes insider threats particularly challenging to detect and mitigate, requiring specialised strategies distinct from those used to counter external threats.
The Insider threat Iceberg
Key Indicators of Potential Insider Threats
Disclaimer
This insider threat assessment provides a quick snapshot of the current New Zealand environment and should be considered as a general guide.
The threat landscape is dynamic and can change rapidly. Each organisation will face unique challenges based on its specific sector, size, assets, and operational context.
The intent of this assessment is to:
Provide an understanding of the current insider threat landscape in New Zealand
Offer examples of what organisations should be preparing for
Serve as a model for how organisations can approach their own insider threat assessments
NZ Organisations are strongly encouraged to:
Conduct their own detailed insider threat assessments
Regularly update these assessments to reflect changes in their specific environment
Tailor their mitigation strategies to address their unique risks and vulnerabilities
Remember, while the baseline threat from insiders is elevated due to their inherent access, the specific level of risk will vary significantly between organisations and should be evaluated on an individual basis.
Jamie specialises in Physical Security Governance, Risk Management, and Compliance (GRC) for critical infrastructure and government entities. With over 15 years of experience, including service in the New Zealand Defence Force, he focuses on developing comprehensive physical security solutions that protect assets and ensure personnel safety. Jamie's expertise lies in translating complex security challenges into actionable strategies, emphasising informed decision-making through robust risk assessments. His mission is to elevate industry standards while aligning security measures with organisational objectives. A former professional rugby player, Jamie brings teamwork and adaptability to solving intricate security challenges.
