Insider threats: A persistent and widespread problem
In this feature, we take a look at some of the key things you should be aware of to ensure that you are well-equipped to deal with insider threats.
When it comes to cybercrime, a lot of the focus is centered on external threats and on the individuals who actively attempt to cause harm and damage, whether by infecting a computer system with malware or through the encryption of files for reasons of extortion.
This attention understandable. Threats posed by cybercriminals to organizations is great, so much so that many consider their unlawful activities to be the natural evolution of so-called traditional crimes – it is simply a digital and online version of what went on before. Others go so far as to describe it as a “21st century phenomenon which won’t go away”.
Threats are not just external though. Insider threats, for many years misunderstood – if understood at all – are just as problematic as their outside equivalent. However, this is changing. More and more enterprises are beginning to recognize the dangers posed from within.
One survey has even suggested that the greatest threat posed to a business’ cybersecurity program are employees. This 2015 paper, by Nuix, reported that the overwhelming majority of respondents (93%) consider “human behavior” to be the number one threat to their security.
Interestingly, this is a growing concern, as the previous year, the figure was lower (88%). From this, you can take away positives and negatives. It’s good that the threat is being taken seriously, but worrying that incidents might be higher than previously thought (or on the rise).
In this article, we take a look at some of the key things you should be aware of and the security considerations you should make to ensure that you are well-equipped to deal with threats – malicious or otherwise – that come from inside.
The game has changed
Some recent cases demonstrate how complex and disparate things are. Case number one concerns Ofcom, the UK’s communication regulator. In March, it was revealed that one of its former employees had been collecting sensitive information over a six-year period. His employers were none the wiser, only hearing about it when the individual’s new employers – now former – notified them.
Case two, which extends back to 2012, but was resolved this year, involves St. Joseph Health System. “Misconfigured security settings” resulted in private medical records of patients being visible online for up to a year. The subsequent lawsuit has cost it millions.
Finally, case three relates to what can only be described as an unwitting data breach. A former employee of Federal Deposit Insurance Corp. (FDIC) had “inadvertently and without malicious intent” downloaded data onto a personal storage device. Up to 44,000 of its employees were affected.
As you can see, insider threats are not as straightforward as might be assumed; that significant incidents can arise out of innocuous activity; and that lack of understanding about threats is commonplace.
How insider threats materialize
As noted by CERT, insider threats are numerous in scope and can be both intentional and unintentional. They are “influenced by technical, behavioral, and organizational issues”, meaning that organizations need to consider drawing up security programs and solutions that address each of these key areas of weakness to ensure they have responses to most scenarios.
This has always been lacking. The problem for many enterprises is that while they have been keen to embrace – and benefit – from technology, they haven’t fully understood the challenges that come with it. This is what PwC describes as “the digital paradox”:
“Organizations today are able to cover more ground, more quickly, than ever before – thanks to new digital connections, tools and platforms which can connect them in real time with customers, suppliers and partners. Yet at the same time cybercrime has become a powerful countervailing force that’s limiting that potential.”
Remember, threats are not just malicious – there are less sinister risks posed as well, which can, as highlighted above, result in the same kind of damage wrought on by cybercriminals (financial, brand, etc).
What needs to be done
There isn’t an easy answer to this but, on a fundamental level, everything should stem from a cybersecurity program that details how you approach – as an enterprise – outsider and insider threats. This document provides you with a solid framework, which you can continue to build upon.
So what should you consider? The following, which is by no means comprehensive, allows you to start seeing the bigger picture.
Boost employee awareness
Commenting on the results of a survey in 2014, ESET’s David Harley said: “I’d have to agree that a very high proportion of security breaches are caused directly or indirectly by people inside an organization, whether it’s a matter of human error, susceptibility to social engineering, bad security management decisions, and so on.”
It’s no longer enough for some people to be cyber-aware – your entire workforce needs to understand how easy it is for mistakes to be made and where vulnerabilities exist. The absence of knowledge means that there is no reference point to consult if in doubt and, as such, issues are likely to materialize.
Backup your data
This is why, as an enterprise you should backup your data. You can do everything to protect yourself, yet nothing is foolproof. It is better to be safe than sorry and proactivity always trumps reactivity in this instance.
Consider the ransomware Locky. Now this can be understood to be an external threat. However, it’s also an internal one. It is distributed via email, which comes with attachment. A trojan is embedded in the document, which, once opened, executes its payload.
“Backups are essential,” explained ESET’s Josep Albors and Raphael Labaca Castro recently. “Face it, the last thing you would want is a nasty ransomware encrypting all your files and having to pay to recover them. It’s always a good idea to have a backup copy of your files stored in another external hard drive or even in a cloud storage system.”
Document what is and isn’t acceptable
Stating in detail what is permissible and what isn’t is vital in establishing boundaries of best practice. For example, some organizations may find it acceptable for employees to take home their laptops; others might consider it inappropriate (with the former, confidence can be achieved with encryption).
What is interesting is the way in which businesses respond to transgressions. Is it enough to give a warning? Do you hand out fines? Of course, this will vary with any given enterprise, but is nonetheless important in how you view and deal with deliberate or accidental violations.