Preventing cybersecurity betrayal in real-life 'Among Us'
Although created a few years before the world went into lockdown, something about the simple app-based game Among Us truly tapped into the pandemic zeitgeist like nothing else. On the one hand, it was a community-based game that worked perfectly in our new Zoom-based reality — while on the other, it tapped into the mounting dread that we were becoming more disconnected from other people.
For those who don’t know, Among Us is like the old board game Cluedo remixed with a paranoid 1970s sci-fi-like Alien and adapted for the digital age. The online game has gained popularity over the world, including Hong Kong, with more than 264 million downloads worldwide.
Those in the cybersecurity space may not find Among Us to be exactly escapist, considering they play a real-life, high-stakes version of this game every single day.
Insider Threats by the Numbers
The Ponemon Institute’s 2020 Cost of Insider Threats report found the average global cost of insider threats rose by 31% in two years to $11.45 million, while the number of total incidents nearly doubled (rose 47%) in the same time period. It showed that Asia-Pacific (APAC) had an average annual cost associated with an insider threat of $7.89 million.
The study explored three primary insider threat profiles:
● negligent insiders (those who unintentionally cause issues)
● criminal and malicious insiders (those who intentionally cause damage) and
● credential thieves (those who target login information to gain unauthorised access to applications and systems).
Out of these three profiles, employee or contractor negligence was the most frequent actor of insider threats in APAC with an average of 13 incidents annually, a significant gap from other insider threat profiles. This is followed by criminal and malicious insiders with an average of 4.5 annual incidents; and credential thieves, with an average of 1.4 incidents annually.
Meanwhile, the 2021 Verizon Data Breach Investigations Report (DBIR) found that 99% of incidents classified under the “privilege misuse” category were driven by internal actors. As the report states, “This pattern is an uncomfortable one — this is where the people we trust betray us.” The DBIR found financial gain to be the most common motivator at 67%, yet it revealed several other drivers: fun (17%), a grudge against the employer (14%), espionage (9%), convenience (3%) and ideology (1%).
The insider threat is very real, very hard to spot and makes balancing efficient daily workflows and stringent, always-on security a real challenge. It’s all fun and games until you find yourself alone in the electrical bay with an imposter — figuratively and/or literally, as the case may be.
The Insider Security Conundrum
Ironically (or not), one of Among Us imposters’ more popular “kill zones” is in the vessel’s security room. While crew members are in the room surveilling other areas via security cams, they can’t see what’s happening right behind them.
Working undercover is precisely how insider threats operate, and it’s what makes them so difficult for cybersecurity experts. By focusing on keeping the bad guys out, it’s easy to miss what’s right over your own shoulder. And these threat actors have a leg up — the most crucial thing outside attackers are looking to acquire is something that insiders already have, and that’s legitimate access. Using stolen credentials from other corporate identities, insiders can easily move throughout systems, elevating their access and worming further into privileged systems to steal data or use it in ways they shouldn’t.
Before devising a strategy for shoring up security measures against threats in your own house, it’s important to consider where this responsibility ultimately falls. Is it solely the purview of the info security teams? Or do HR and legal bear some responsibility since insider threats track back to hiring and potential employee vetting? The answer, like so much involved in the digital world, is the more communication and cooperation you have between departments and leadership, the better equipped you will be to uncover and mitigate threats from within. To revisit our Among Us analogy, the fewer dark rooms and unmonitored pathways you have, the less likely malicious actors will be able to move about undetected. Shining those lights is vital.
No Trust, No Sus
In this new reality of remote and hybrid work, you can’t simply separate the “good” guys from the “bad” guys because they often look alike. What’s more, sometimes a person will start as one and eventually become the other. The solution is to trust no one until you can continuously verify that they are who they say they are before granting access. This means there are no darkened rooms, no hidden vents and far less uncertainty that when someone unlocks and enters a specific “room,” they are there only to do their assigned task and nothing else.
To combat insider threats, organisations should adopt this “Zero Trust” approach, a strategic cybersecurity model designed to protect modern digital business environments. It generally follows the same mindset as the players in Among Us -- everyone is "sus", unless verified or proven otherwise. It goes a long way in proactively managing insider threats by limiting disruption, strengthening security resilience and protecting resources — particularly in hybrid cloud environments.
The threat may be coming from inside the house, but security measures must go well beyond a few doors and walls.
Zero Trust would make Among Us far less fun to play for sure, but it makes operating in our new boundary-less world a whole lot safer. Tricking your friends with casual sabotage can be fun when it’s a game, but it’s much less so when millions of dollars and reams of sensitive data are at stake
-- Contact us at [email protected]
-
Equip young people for the future Dr. Winnie Tang
In late February, the inaugural flight of an air taxi from Shenzhen Shekou Cruise Homeport to Zhuhai Jiuzhou Port took only 20 minutes with an estimated one-way ticket price of 200 to 300 yuan per
-
Are we raising a generation of leaders, or of followers? Brian YS Wong
The essence of education is defined not by the facts it imparts, but the potential knowledge it inspires students to individually pursue on their own. Put it this way – the ideal form of education
-
The urgent need for reforms to sex education in Hong Kong Sharon Chau
Nearly one in every four university students (23%) in Hong Kong has been sexually harassed, according to a 2019 report published by the Equal Opportunities Commission (EOC). A 2019 study found that
-
STEAM should be linked to real life Dr. Winnie Tang
In the 2017 Policy Address, STEM (science, technology, engineering and mathematics) education was proposed as one of the eight major directions to promote I&T development. Since then, funding has
-
Let trees speak for themselves Dr. Winnie Tang
I often say that smart cities start with smart planning, but smart planning presupposes adequate, systematic and up-to-date data. This is important not only for city administration, but also for tree