When people think about cyber attacks they tend to conjure up images of shadowy nation state spies, Eastern European crime syndicates and bedroom-bound hacktivists. This makes for a good story and undoubtedly does exist, but the truth is that organisations are potentially exposed to an even greater risk from within their own organisation. Employee negligence and malicious insiders may not attract the same kind of headlines, but they represent a serious threat to corporate revenue and reputation nonetheless.
It’s a tough problem to fix and that’s why it continues to cause serious challenges for IT security teams. However, with the right approach, focused on plugging cyber security skills and awareness gaps, there is light at the end of the tunnel.
Time to look within
From Yahoo to Equifax and Deloitte, the roll call of major data breaches emerging in the second half of 2017 was astonishing. Billions of consumers and countless organisations have been affected and there are certainly important lessons to be learned here about how enterprises can better mitigate the risk of external attacks. But these headline-grabbing incidents do not tell the whole story.
Just 23% of respondents to a SANS Institute study earlier this year claimed external attackers would cause the most physical, fiscal, and reputational damage. By contrast, 36% said that the worst breaches would come from “unintentional” insiders, while 40% said malicious insiders would cause the most damage.
The insider threat isn’t merely theoretical. In August, TalkTalk was fined £100,000 by the ICO after cyber security deficiencies allowed contractors in India to unlawfully access 21,000 customer accounts as part of a major tech support scam.
In October, supermarket giant Morrisons was sued by over 5,000 employees after their personal and financial information was leaked by a disgruntled insider – now behind bars: Senior internal auditor Andrew Skelton actually leaked the details of nearly 100,000 employees in an incident said to have cost the firm over £2 million to mitigate.
It’s not just malicious insiders causing real harm to organisations. Freedom of Information requests sent to the ICO revealed that staff mistakes accounted for almost half of all breach incidents reported to the privacy watchdog over the past couple of years. Over the most recent quarter, the ICO reported a 27% increase in data sent by email to the wrong person, following a 20% increase in the previous quarter.
There is therefore a clear and urgent need for greater investment in programmes to track and respond to the growing insider threat. The question is, where should we focus these resources?
Failing to plan, planning to fail
In the SANS Institute study from July 2017, just 18% of respondents said they had formal incident response plans that include the possibility of an insider attack. Although half (49%) said such a plan was in development, almost a third (31%) claimed they had no formal programme to deal with threats from insiders.
This needs to change. Today is an age where data is the new currency – in fact, it’s the lifeblood of any business. It’s inevitable that malicious internal actors will at some point try to access that data, whether for monetary gain or to cause chaos and disruption. It’s also likely that mistakes will be made by staff at some point which could have a similarly serious impact. Only through proper planning can you effectively minimise the chances of damaging cyber-related incidents.
>See also: Cyber security and AI predictions 2018
For compliance reasons alone, organisations must address the insider threat. GDPR, and its UK equivalent, the Data Protection Bill, will levy fines of £17 million or 4% of global annual turnover on those which fail to protect customer data adequately. The NIS Directive, again an EU-led piece of legislation, will mandate the same maximum fines for providers of “essential services” that fail to put in place best practice security.
Both are set to land in May 2018, so there’s no time to waste. In short: education of the workforce from the top down is crucial for a safer, more security-aware company.
Plug the education gap, plug the leaks
We are in the midst of a global IT security skills crisis, causing direct and measurable damage to businesses. Yet what we must also remember is that general cyber security awareness levels among employees remain worryingly low. Incidents of ransomware have increased by 300% since 2015, and yet budgets for security training globally are falling. How can this be, when over 90% of cyber attacks are caused by human behaviour?
Education is the answer. Attacks are happening on a daily basis, so alongside crafting incident response plans, companies need to make sure that their workforce is able to recognise malicious emails – very often the first stage in a potentially devastating cyber attack.
A growing risk is of negligent insiders being tricked by phishing emails or fake helpdesk calls into giving away their login details, or being socially engineered into opening malicious attachments. Educating employees to recognise these threats is a vital prerequisite to operating best practice security.
Granted, education will not mitigate the risk of malicious insiders, but for those who aren’t as security savvy as their colleagues, it could be a lifeline for their career as well as their company.
Closing the skills gap is not necessarily about hiring new and already cyber-certified staff, as this can be costly and time-intensive. Instead, it is about upskilling and cross-skilling any existing workforce to be security-aware, and therefore a further asset to your company. Any organisation, no matter how big or small, is just one click away from compromise.
Sourced by Dr Eric Cole, Fellow, SANS Institute