Cyber criminals must work hard to get hold of your data, but employees and others inside your company typically have privileged access to it. So just how dangerous are insider threats and what can we do about them?
Don’t limit your perception of insider threats to just financial fraudsters, experts warn. They’re certainly a risk, but there are others too, says Andrew Rogoyski, vice president of cyber security services at IT firm CGI and chairman of the cyber security group at UK technology industry group TechUK.
Listing the threats
Insider threats break down into two broad groups – the malicious and the unwitting. Malicious actors may do more than steal money, Mr Rogoyski points out. Intellectual property theft is a potential problem, especially for companies based in knowledge industries. Plans for mergers and acquisitions, product designs and sales targets could all be at risk.
“There might also be sabotage; there might be people wanting to disrupt an organisation’s ability to perform its work,” he says. That could range from installing malware through to deleting files.
Insider threats can even extend to the digital supply chain, where third-party contractors may in turn subcontract operations to others who then have access to your data
Sometimes, fraud and sabotage can overlap. In September, AT&T sued several former employees for installing malware on its networks. That was a form of sabotage, but for financial gain because the software enabled a local business to unlock customers’ phones automatically.
Uneducated employees are just as threatening as malicious insiders, though. These are the workers who take sensitive company data home on thumb drives and lose it or accidentally post it online, potentially costing their employer untold amounts in legal fines and reputational damage. They don’t mean to do it, but a lack of training and oversight can turn them from assets into liabilities.
There is one other kind of insider, warns Ian Beale, audit and compliance principal executive adviser at CEB, a membership organisation which advises on best practices and technology. Insider threats cover anyone with privileged access to company data, he explains, and this group has expanded as working practices have changed.
“It includes both full-time and part-time employees and contractors, either of whom can work remotely, at home or be travelling,” he says. Insider threats can even extend to the digital supply chain, where third-party contractors may in turn subcontract operations to others who then have access to your data.
These companies and individuals represent real threats. In November 2013, US retail giant Target lost 40 million credit card numbers after hackers infiltrated its systems.
It later transpired that the cyber villains infiltrated the company via hacked accounts at a third-party heating and air conditioning company which Target had contracted and had access to its network.
So there are many more kinds of people inside your IT systems, with potentially different motives, than you may think. How can you protect your valuable data from them?
Managing risks
The temptation is to watch everyone like a hawk, imposing strict controls that hem workers in. Beware, warns Mr Rogoyski. “That can have a damaging effect on morale and loyalty,” he says. “You can create disaffected, disgruntled employees.”
Rowena Fell, cyber and insider threat director at consulting giant EY, recommends a data-driven approach to insider threats, rather than simply scrutinising employees. “It’s about protecting your critical information and trade secrets,” she says.
Understanding where that information resides is a crucial early step in an insider threat prevention programme. This can drive initiatives that help to prevent different varieties of insider threat.
Managers can reduce accidental insider threats with an effective education and awareness programme to help prevent mistakes such as responding to fraudulent e-mails or taking valuable data out of the company. These should be a marathon, say experts, and not a sprint. Forget short-term awareness projects that people will forget. Instilling a culture of diligence into an organisation is a long-term process, perhaps backed up with exercises to test its effectiveness.
That still leaves malicious insider activity to deal with. “Organisations have to acknowledge that they may have a potential problem, and begin to put in place adequate procedures and checks on anyone who might need to gain access to data and systems,” says Alex Stedmon, reader in human factors at the University of Coventry, who studies how psychology and security interact.
Companies should review users’ access rights and refine them based on current activities, Dr Stedmon advises. Insiders should be able to see and do only those things that are essential for their jobs.
In some cases, companies can use IT systems to separate duties, meaning that no single person can approve a particularly critical operation, such as moving money above a certain threshold out of the company.
Proper vetting of employees can also be a useful way to prevent insider fraud, says Mr Rogoyski. This is common in government and is beginning to appear in commercial organisations, he adds. Managers should be asking their human resources departments how much due diligence they’re doing on new employees beyond contacting references on a CV.
Insider threats are a clear and present danger, whether employees are disgruntled or not. If you haven’t reviewed the dangers and created a strategy for dealing with them, now’s the time. It’s best to prevent the threat, rather than deal with the fallout afterwards.
HOW TO SPOT A FRAUDSTER
Malicious insiders try to make themselves invisible, but they’re often like black holes – even if you can’t see them directly, you can look for evidence of their existence. Technology can help here, as can a keen nose for discontent.
“At a personal level, you need to start looking for what the textbooks would call a precipitating event,” says Andrew Beckett, managing director in the cyber security and investigations practice at risk solutions company Kroll. These are incidents that might spark revenge. Has an executive been passed over for promotion, demoted or disciplined?
These incidents can be analysed along with other signals, including personality traits. “You can look at psychological behaviour and general attitudes at work,” he adds. “Some people just carry a chip on their shoulder.”Historical behaviour can provide clues. Have employees regularly complained about security at work or disabled security features that might have been put on the system?
Historical behaviour can provide clues. Have employees regularly complained about security at work or disabled security features that might have been put on the system?
If these signs are missed or missing, you can use technology to help you uncover potential fraud. Workflow systems can be configured to double-check the legitimacy of invoices or confirm that the amount paid was the amount asked for.
Beyond that, more sophisticated baselining systems can be put in place which analyse legitimate behaviour on your computer systems and then look for anomalies. Such anomalies might have a perfectly reasonable explanation, but you won’t know about them unless you have software in place to alert you when they happen. At the very least, it will prompt you to ask some polite questions.
Listing the threats
