No longer is the shadowy figure, lurking in the background the most obvious hacker and perpetrator of an inside cyber attack. Massive, high-profile security breaches dominate today’s headlines while consumers wake up almost every morning to learn that their organizations or a favorate retailer entrusted with their private and sensitive data, has been breached.
Yet, increasingly, security professionals and the majority of security vendors are focused on the wrong things. The IS/IT security landscape (i.e., attack surface and parameters) and the bad actors have changed. The dark, shadowy figure that once was the malicious hacker is not the obvious enemy. These security firms and profressional organizations imagine that he (or she) is poised to strike--and has been waiting for that perfect opportunity to leverage and launch a mythical "zero-day" exploit, virus or backdoor. While this type of attack does happen, it isn’t the most modern and common form of an attack that results in a breach or data leakage; nor is it the biggest risk to your organization. Not by a long shot. The sophisticated, computer savvy employee, long-time supplier, new service provider, competitor harboring a grudge, or insider hacker-wannabe looking for notoriety may be your real threat and budding protaginist--and you don't know it or suspect it.
What defines an “insider.” An insider is any individual who has authorized access to corporate networks, business systems, information and data. This may include employees, contractors, business partners, auditors or other personnel with a valid reason to access your IS/IT systems. Since we are increasingly operating in a "connected" environments, businesses--small to large--are more susceptible to insider threats than ever before. The volume of critical data in organizations is exploding, causing more information to be available to more people. While this can boost productivity and operational capabilities, it comes with inherent risks that need to be considered and mitigated.
Mitigating risk is all about identifying weak points, threats and vulnerabilities, in your organization's security posture. The weakest point in any security program is people; namely, the insider. Insider threats can be malicious; but more commonly, they are accidental. Insiders can have ill intent, they can also be manipulated or exploited, or they can simply make a mistake and email proprietary date or a spreadsheet full of client information to the wrong email address. They can lose laptops or mobile devices with confidential data, or misplace backup tapes. These types of incidents are real and happen every day. However, these mistakes can lead to disastrous results on par with any major, external cyberattack.
Traditionally, these threats are overlooked by most businesses because they are more concerned with the unknown malicious actor than the known staff member or business partner. Organizations are sometimes reluctant to take the steps necessary to mitigate these threats. They put little to no emphasis on implementing security controls for insiders.
Those who believe that you can count on employees as a line of defense in the organization need to think again. Given the current insider situation, attackers need not resort to elaborate attack methods to achieve their objectives. A 2016 Balabit survey indicates that the top two attacker techniques are social engineering (e.g., phishing) and compromised accounts from weak passwords.
There are a number of ways that insiders can cause damage. In some cases, they are coerced by an outsider to extract data. This is common when organized crime is involved. In other cases, legitimate user access is used to extract data, but the user’s real credentials have been compromised and don't trigger security alerts focused on malware, compliance policies and account-brute-force attacks.
There is some light at the end of the tunnel and the good news is that organizations can do more now than ever before. Technology solutions providers are responding with solutions that monitor email traffic, Web usage, network traffic and behavior-based pattern recognition to help detect who in the organization is trustworthy and who may be a risk. If a staff accountant is in the process of exporting customer data at 3 A.M., this behavior is flagged as anomalous and alerts security staff to a potential compromise. The employee that starts logging in later, leaving earlier and sending fewer emails to his manager may be disengaged or even disgruntled; and worth keeping an eye on. Although this is a murky area, HR can be a security advocate, identifying employees with discipline issues whom could fit a risk profile. While this may be a little “big brother” sounding in nature, some organizations may find this to be an appropriate way to mitigate the risks that come from insiders.
Furthermore,. organizations of every size still have some old-school mitigations available to them such as employee awareness programs, employee background and reference checks, and exit interviews to gather information about attitudes toward the company and insights into working conditions.
The clear lesson here is that organizations must look past the perimeter and know what is happening inside the network, in addition to what is happening outside. The most likely enemy won't fit the stereotype: beware that the threat could very well come from within.