Everybody’s heard the old saying, “Keep your friends close and your enemies closer.” It’s implied in the statement that you can tell the difference between the two. When it comes to your company’s cybersecurity however, the line can become blurred — and your “enemies” may be much closer than you realize.
Look no further than your local cinema for an example of an insider threat, or when a past, current or contract employee (or an imposter pretending to be one) opens an organization’s computer system to harm. On the reel is a very real case: Snowden. The film stars Joseph Gordon-Levitt as the titular Edward Snowden, a former CIA employee and NSA contractor who leaked 1.5 million highly classified National Security Agency documents to journalists in 2013. Whether you view him as a hero hacker or treasonous traitor is subjective — what is objective is you wouldn’t want an employee like that. Unfortunately, they’re more common that you’d think.
According to IBM’s 2016 Cyber Security Intelligence Index, 60% of attacks are carried out by people inside the target company. Insider threats can be both malicious and unintentional. When done maliciously, they are often performed by disgruntled employees for revenge or reward. Generally, insider threats involve one or a combination of the following: harming system functionality, stealing funds, introducing malware (i.e. spyware, ransomware, viruses, trojan horses, worms) or the corruption, falsification, deletion or theft of data.
As Marc van Zadelhoff points out in the Harvard Business Review, certain industries are bigger targets for insidious insiders. He says, “… health care, manufacturing, and financial services are the top three industries under attack, due to their personal data, intellectual property and physical inventory, and massive financial assets, respectively.”
Crowd Research Partner’s Insider Threat Report found that 74% of organizations feel vulnerable to insider attacks yet only 42% have appropriate controls in place to prevent them. What stings the most is because insider threat activities are carried out within and by trusted systems, they often go unnoticed for extended periods of time. And they’re not always perpetrated by Bitter Bob or Disillusioned Diane. While the aforementioned IBM report points to three quarters of insider threats being malicious, a full quarter are unintentional.
Alas, until we can replace them all with machines, computers and AI, employees are human beings and inevitably make mistakes. They can and do fall prey to socially engineered cyber attacks such as phishing or spear phishing. In doing so, they inadvertently lend their credentials and access to hackers. Cue: data breaches, malware and headaches galore.
Depending on the sensitivity of your organization’s information, allowing employees to work out of office can also increase insider risks. If their device(s) gets stolen or they send confidential data over an unsecured public server, they’re essentially handing over the trench coat and fake moustache to an imposter.
So how do you protect against a threat from the inside? A separate article by the Harvard Business Review points to psychological content analysis. Namely, they suggest using programs to monitor employee’s language and behaviour for aggression in a way that still respects privacy.
For those unprepared to adopt the title of “Big Brother”, there are simpler solutions. Like most cybersecurity issues, fighting insider threats involves a combination of vigilance, employee education and getting a good protection plan: be smart about who you hire, do frequent back-ups of your data, and schedule regular spyware and anti-virus scans; remind employees to always be cautious with their emails and devices, even if they feel like they’re communicating with trusted sources or are in trusted places; and finally, work with a reputable cybersecurity vendor to create an individualized defence strategy.
While nothing can ever fully protect you from insider threats, the only thing that will impair functionality —both your company’s and employees’— more than malware is being overly paranoid 24/7, 365 days a year. Ultimately, as van Zadelhoff notes, while restrictive security policies can seem like a good idea (read: the only option), they get in in the way of productivity, hamper innovation and frustrate your users.
Think of it like this: instead of “Keep your friends close and your enemies closer”, a more appropriate phrase could be, “Watch who you hire before the house is on fire.”
Not exactly “Hang in there, baby!” kitty poster material, but it works.
Leave a Comment