Most business owners, CEOs and CIOs are concerned about an unseen army of cyber criminals and hackers poised to attack their business, hold their IT systems and data to ransom and cause untold damage to business operations, customer relationships and brand reputation. However, although this threat is very real, the biggest IT threat to your company could be currently sitting at their desk in your office.
Yes, insider threats – your employees – are perhaps the biggest threat to your business. In fact 43% of data breaches originate inside an organisation, and of these three quarters involve malicious intent. These attacks may come from employees, remote workers, subcontractors, ex-employees, 3rd party providers, and often go undetected for much longer than attacks from outside actors.
The Impact Of Insider Attacks
While external threats are becoming increasingly sophisticated and attacks are being targeted at all kinds of organisations – big and small – businesses have also become more aware of them and more proactive in preventing and detecting attacks such as ransomware, phishing campaigns etc.
However, insider attacks are going under the radar. This is in part because business owners and IT professionals are not looking for them, and also because they are often much harder to detect. The tell-tale signs that someone is attempting to breach your cyber security defences – such as multiple password attempts, logins from unknown devices, and other abnormal activity – are not present when the attack comes from an inside actor. They are also adept at covering their tracks, by editing or deleting logs, and if detected they can plead ignorance and blame ‘human error’.
As a result breaches go undetected for longer and potentially cause more damage to the business. Remediation costs also go up; the time to remediate is directly linked to the financial costs and lasting impact of an attack.
Not all insider attacks are motivated by financial greed, revenge or acquiring data for competitive leverage (for example stealing customer information to take to a new employer); some attacks are genuinely down to human error.
Incidents such as the Amazon web service (AWS) outage in February 2017, when an engineer inadvertently brought down countless websites, services and devices, because of a typo. Or when employees unintentionally provide hackers with access to your systems and data by clicking on a link in an email.
Whether human error or malicious intent, the result is the same. It costs businesses both in terms of loss of productivity, detection, remediation, and reputation.
How To Protect Your Business From Insider Threats
Get Human Resources onside. Prevent malicious attacks by working with HR to reduce the risk of recruiting employees who may not have your organisation’s interests at heart. Criminal record checks, employment history, employment disputes etc. can highlight potential issues with a candidate. Work with HR to monitor existing employee relations for any signs of insider actors – disputes and grudges – and how they handle dismissal etc.
Employee awareness and training activities are the first line of defence against external attacks such as ransomware – providing your employees with the skills to spot attacks before they are enacted.
An Acceptable Use Policy is an effective way to communicate to employees what is, and what isn’t, an acceptable use of company data. This helps communicate the message that you are monitoring for insider attacks, and will take action if necessary.
Protect your most valuable assets. What data or systems are most valuable to your business, and most valuable to the bad guys? These need robust security defences such as multi-factor authentication, and for the most business critical – encryption.
Review user accounts and who has access to what data. Limit the number of privileged users, and any new user accounts (including 3rd party providers) should be created with the least number of privileges possible.
Terminate accounts or reduce privileges when access is no longer required. For example, when an employee leaves the organisation or a project finishes. Similarly, manage the accounts of 3rd parties, or grant temporary credentials that will expire in an appropriate timeframe.
Limit the use of shared accounts. Where possible limit the number of shared accounts and ensure these do not provide access to business critical or highly sensitive data.
Monitor systems and user behaviour. It can be difficult to spot insider attacks because the user’s behaviour may not fall into the ‘abnormal’ category. However, if the measures above are in place, in many cases users will be forced to behaviour abnormally to get access to valuable data. Cyber security solutions can monitor for multiple failed password attempts, data being copied to personal account, email etc., and other activities that are not part of any given user’s normal working day.
Cyber security tools with machine learning, that monitor all traffic and security on a network, quickly learn what is normal behaviour within an organisation, and what is not. As well as protecting businesses from external threats these solutions, when backed up with other cyber security strategies, can tackle insider threats too.
By Sarah, Invinsec