Insider threats: Who is the biggest IT security threat in your organisation?

Before you begin addressing the dark world of cybercrime, remember that ‘cyber security begins at home.

It is an undeniable fact that in today's digital world, we are all pretty much reliant on information technology and the Internet to run our businesses. It is also a fact that it is not 'if' - but 'when' will our IT Infrastructure and Business Applications be under attack? Before you even begin to address the dark world of cybercrime or state sponsored attacks, plotting to compromise your IT systems; you should first remember that ‘cyber security begins at home.’ 

By home, I mean: the business owners, their senior managers, their staff, and their third party contractors.  It is a salient point that security breaches by staff or third party contractors - whether malicious or accidental – are one of the largest sources of cyber-attacks on an organisation's systems.  

Cyber criminals will seek out the weak points in your organisation as these present the easiest opportunities for attack – such weaknesses could already be present in your organisation. 

 How can I ensure my systems are safe from 'within'?  

Before we look at solutions, we must understand the various ways in which employees - and contractors - can be responsible for security breaches. 

Careless Employees - Obvious examples of careless behaviour include: staff who use weak passwords, staff who surf unauthorised websites, and staff who click on links or open attachments in suspicious emails. Then there are staff who don't take proper care of their personal or company devices, providing opportunities for them to fall into an unauthorised pair of hands (this is most often a relative). 

Vengeful Ex-Employees -This happens more than you might think; as ex-employees believe they can inflict damage without getting caught. This is especially so if the ex-employee had access to systems, networks and databases with privileged passwords. 

BYOD (Bring Your Own Device) – As well as the risk of loss or theft of personal devices, the mere fact that an organisation's confidential or sensitive information is shared to or copied onto personal devices creates an inherent risk of theft. Passwords on personal devices are often weaker than those used at the workplace, making them vulnerable to hacking. A recent survey suggested that two thirds of global companies have suffered some kind of security breach caused by employees' mobile devices. 

Unauthorised devices to the network - Many employees don’t think twice about connecting their own devices to the company IT infrastructure; BYOD, USB sticks, webcams, etc. This can facilitate the introduction of malware into the organisation’s systems, or provide an entry point for a hacker. 

Third Party Service Providers - service providers are often an important part of your extended team but can pose a risk if their security practices are not as rigid as your own. It is not unusual for contractors to use a single or shared password for all their employees to access a client's system - and often the password used is weak, to facilitate memorising and passing it around to new staff. 

This makes the potential theft of login details relatively simple - often simply by guessing. An alarmingly high percentage of data breaches can be attributed to remote 3rd party access channels; and let's not forget the possibility of the contactor having a rogue employee.  

 7 Steps To Minimise The Risk Of Insider Threats 

 

Employee vetting - All staff must be thoroughly vetted for honesty. For sensitive positions, police criminal checks should be undertaken. You must also ensure that your 3rd party contractors have similarly vetted their own staff. 

Training and education - Have well-documented procedures that provides training for all staff. Educate them on the need for strong security and the implications of careless or bad password management. Awareness and training exercises should include education about scams such as phishing and key logger scams. Consider introducing a password management system and deploy validated encryption as part of your strategy. In highly sensitive situations you might consider the introduction of two-step authorisation. 

Introduce a strict password cancellation policy for ex-staff - Ensure that proper procedures are in place so that all passwords are immediately cancelled for any employee leaving the company. 

Have a clear BYOD policy - This should be a carefully written document that spells out exactly what employees can and can't do with their devices. This will include such FAQ's as: Can they download company documents, emails or business data? Can they download personal applications onto company networks? Implement systems to monitor mobile devices. This will reduce risks if a device is lost or stolen. Encryption and containerisation of data on devices can also form part of an overall solution. 

Introduce a 'no tinkering’ policy - No unauthorised tinkering with the company's systems should be allowed and specifically no devices, USBs etc. should be connected without first being checked by your IT security team. 

Insist that all third Party Contractors have acceptable security procedures - All service providers must implement "best practice" as far as password security is concerned. Monitor the contractor's security procedures and immediately cancel all access passwords as soon as a provider has ceased working for you. 

Monitor and Report – Violations of the policies can be monitored and actions taken to identify and stop real damage from occurring. While tools and techniques can be quite complex, to manage out the numerous false-positives (security events that are benign) much can be done by simply monitoring for internal threat scenarios that could be most damaging to your business. 

Ensure that a well-defined incident management procedure is in place to back up the management of a security violation and that there is a disciplinary procedure in place to deal with employees and contractors who would compromise the security of your organisation. Once you’ve addressed the insider threats within your organisation, you can turn your attention to external cyber threats.     

David Lello, Director of Professional Services, Burning Tree