Beware of the insider threat: Human error or malicious intent?

While some companies are finally waking up to the growing threat of cyber crime, few organisations comprehend that only securing their outer defences against attack is not sufficient.

The US Computing Technology Industry Association (CompTIA) has surveyed individuals from hundreds of companies with 52 per cent of respondents naming human error as the leading contributor to security breaches.

According to KCS' own research, 80 per cent of cyber breaches can be traced to staff working behind the firewall.

People are the weakest link

The underlying reason for this is that people are the weakest link in any security chain and it is absolutely impossible to wipe out the possibility of human error completely. That does not mean that an organisation should not take some straightforward steps towards significantly reducing the likelihood of a cyber breach being facilitated by human error.

There is, however, evidence that companies in the US at least are gradually becoming aware of the part human error plays in the majority of cyber security breaches. According to CompTIA, 30 per cent of respondents cited "human error among general staff" as a serious concern and 26 per cent cited human error among staff" as a serious concern.

KCS's extensive case files contain many examples of the various types of human error which have enabled major cyber breaches. In some cases, determined cyber criminals or even business rivals will infiltrate companies or bribe staff with access to the corporate IT system.

One case involved nuclear sector competitors in an overseas tender process attempting to identify weaknesses in the client’s offer. The tender board itself was also trying to spy on the client to ascertain its margins and thereby improve the board's negotiating position.

Both groups used a combination of cyber hacking and industrial espionage. One group placed two agents within the client company in-country to gather intelligence. The other attempted to ‘turn an employee with a significant bribe. Both groups sought to hack the client's IT system to gather information on the clients strategy and pricing. Last year, KCS had two major cases where clients have faced these types of attacks.

Disgruntled staff responsible for many cyber breaches

Frequently, disgruntled employees come up with easy ways to monetise information. For example, financial sector organisation suffered serious internal leaks following the departure of a key manager in China.

On departure, the disaffected employee used current employees to feed him inside information on the client’s strategy and future plans, which was then sold on to a major international competitor. Following a covert internal undercover investigation, KCS was also able to determine that a highly senior manager within the organisation was sleeping with the ex-employee.

The same senior manager was also removing data acquired from other employees in the client company and feeding this information to the boyfriend and to a US competitor.The client company had, in addition, significant breaches in its cyber security as a consequence of poor IT policies, poor screening of employees and inadequate IT security, enabling the employee to place malware on the system, blocking access by the IT management.

Sometimes, dishonest staff members steal data in order to make fast easy money. An engineering firm, for example, wanted to understand how well its existing security controls were protecting its data. A four-week trial of new software installed across the organisation revealed that a staff member had installed their own back-up software contravening the the firm's IT policy.

The software had been configured to back up a specific folder from the network to another network location. The backed-up information included confidential product testing, computer aided design (CAD) documents detailing new prototypes and upcoming products, designs for printed circuit boards and documents detailing contractual agreements with research and manufacturing partners. A total of 182,000 files were being backed up.

No magic bullet for cyber threat

There is no magic bullet to protect entirely against the insider cyber threat. But there are procedures and software which can be deployed to minimise the risk of data theft and its resultant costs in the form of data retrieval, lost business and reputational damage.

When testing an organisation's cyber defences, It is necessary to carry out tests behind the firewall in order to discover if, as is often the case, the company has already suffered a data breach. Best practice software Sentinel ZoneFox then enables the company to ascertain who has been copying or releasing sensitive data and the time the breaches occurred.

According to Jamie Graves, the chief executive of cyber security company ZoneFox, believes it is possible to identify a "Kill Chain" where certain events or trends within an organisation can be tracked in order to identify points where a cyber breach might be occurring or may have already occurred.

"There are many reasons for someone inside your organisation to decide to maliciously steal information from your organisation. Existing employees can reach 'a tipping point' where they have been coerced or tempted by an external party to steal for financial gain, or have a grudge against the organisation," says Jamie Graves.

He adds: "The insider threat can also manifest in the form of contractors or service providers, or business partners."

According to ZoneFox, a rogue insider will generally go through a series of clearly identifiable steps in order to successfully steal commercially valuable and sensitive data from the organisation concerned.

The 'tipping point' is generally followed by 'search and reconnaissance', which is to search the corporate IT system for valuable data. Once the rogue employee has located the data, they must gain access to the data, a process known as 'exploitation'. The next phase of the 'kill threat' is to collect extracts of the data - a process known as 'acquisition'. The final phase of the process is to exfiltrate the data.

"Unless you implement sufficient controls and auditing facilities at each stage of the insider threat Kill Chain," says Jamie Graves, "your organisation will not be able to understand the key behaviours. And that will end in current or ex-employees, partners or contractors walking out the door with your critical business data."

Stuart Poole-Robb is the chief executive of business intelligence and cyber security adviser the KCS Group.