Digital transformation has empowered employees to access and interact with data and intellectual property (IP) through a myriad of systems, applications and devices. However, for too long, the security industry’s focus has been on the wrong things. Traditional security perimeters are eroding or becoming obsolete, and so, rather than focus on building bigger walls, the industry needs better visibility.
This year’s headline grabbing breaches prove a paradigm change is needed in cybersecurity. CIOs and CISOs today must address new security challenges that come with operating in a world where traditional network perimeters are shifting.
We now face behaviour-centric risks ranging from the common user error that turns an email lure into a ransomware debacle, to sporadic, anomalous activities that, once presented in context, can be the breadcrumbs leading to the early stages of a malicious insider threat.
This continuously shifting threat landscape requires an equally transformative view and it starts with examining how people interact with critical business data and IP, and understanding how and why these interactions occur. These “human-points” of interaction have the potential to undermine even the most comprehensively-designed systems in a single malicious or unintentional act.
With this in mind, the questions of behaviour and intent are rising priorities as cybersecurity professionals look to get a better handle on the risk posed to critical business data. Organisations need to develop and deploy behaviour-centric security that includes understanding the nature of human intent and the ability to dynamically adapt security response.
Risk is itself not constant and by looking at the reasons behind a breach - accidental or malicious – security teams can better tackle the challenges facing their organisations in the current threat landscape.
Category of risk
Fundamentally, insiders typically fit into three groups along a spectrum that we call ‘the continuum of intent’, which categorises users as accidental, compromised or malicious. However, it’s important to note that people can move in and out of these categories depending on a number of factors, so examining their typical behaviours is crucial.
Accidental insiders are those individuals who make honest and unintentional mistakes, inadvertently exposing the organisation to data theft. This could be down to a lack of training, awareness of processes or negligence.
Meanwhile, compromised insiders are those users with access to networks whose credentials have been stolen and used by a hacker to misuse the system to their own ends. It was this approach that caused much of the damage in the case of the Petya outbreak in June 2017.
Administrative credentials were obtained through the use of built-in credential stealing code, resulting in the malicious activity effectively blending into the background noise of a big network, thereby allowing the attackers to maximise their dwell time on networks.
Cybercriminals are focusing on exploiting the human point of weakness in an organisation’s security defences, due to their undeniably inherent wealth of value.
These attacks are designed to deploy a social incentive for employees to open email attachments or click on a link. Email, by far, represents the greatest risk to an organisation, followed by mobile devices and cloud storage deeming as other areas of concern to organisations critical infrastructure.
More targeted attacks are also seen with specific individual attacks based on membership to a hacked website database, or even with information gleaned from social media accounts.
Concerned with the implications of sharing login credentials with third-parties, banks and other financial institutions have previously warned they would not be held liable if their customers shared account access with third parties such as Mint, a free web-based financial management service.
Finally, there are malicious insiders. This group includes individuals who have both knowledge and access to vital company networks, as well as the intent to cause harm. Forcepoint’s Insider Threat European Survey revealed that 29 per cent of European employees have purposefully sent unauthorised information to a third party. To put this in wider context, one third of organisations have suffered from an insider-caused breach, with potential losses from each incident totalling more than $5m, according to the SANS Institute.
Cybersecurity investment continues to rise, but so does the volume of threats
We recently surveyed over 1,250 cyber security professionals worldwide to ask them about the state of sector and the changes that need to be made. The resulting research, The Human Point: An Intersection of Behaviours, Intent & Data, discovered that most experts do not hold high hopes that more cyber security tools will improve security. Instead, an overwhelming majority of respondents felt that understanding the behaviours of people as they interact with IP and other data was the path to success.
In other words, to determine the underlying cause of security incidents (e.g. data theft and intellectual property loss) and prevent them from occurring again in the future, security professionals must look at the intent behind peoples’ actions, understand the categories of risk and adapt their security offerings accordingly.
Data is everywhere
Modern working practices rightly allow for anytime, anywhere access to data by employees and authorised third parties (including APIs) and data aggregators offer efficient and effective ways of working that companies and their employees have wholeheartedly adopted.
However, with data everywhere and accessible from anywhere, the attack surface becomes much wider. The recent Equifax breach should be a wake-up call for businesses worldwide; to improve their systems so that attackers taking aim at data goldmines such as these will meet with increased resistance. Examining the flow of the data through an organisation is the only scalable defence mechanism, and by looking for and identifying uncommon consumption patterns or the misuse of account credentials on a database, malicious behaviour can be identified.
A human-centric future
Going forward, it is vital that organisations implement intelligent, integrated security solutions that provide visibility into user behaviour, coupled with robust cyber security programmes. By understanding how data flows, who has access to it and why, we can increase the efficacy of security. Compounding this, homing in on normal and irregular data and user patterns, we can reduce complexities and focus on the events that really matter.
It’s time for the industry to stop playing catch-up and start thinking differently about security by understanding human behaviours and cadences. This will enable companies to ensure their most valuable data is surrounded by the right behaviours that enable them to protect against breaches now, and into the future.
Nicolas Fischbach, Global CTO at Forcepoint
Image Credit: BeeBright / Shutterstock