Recent government research found that two-thirds of big UK businesses have been hit by a cyber-attack in the past year, with most of those involving viruses, spyware or malware. Following on from these findings, the UK government is urging businesses to do more to protect themselves.
While implementing lines of defence against external threats should be seen as a priority, it is key that businesses also take an introspective look and ensure they are defending themselves from attacks that may originate from within.
What is an insider attack?
An insider attack is any cyber-attack in which access was gained from within your organisation. This could be an employee, contractor or anybody with privileged access to your systems and information.
Insider attacks may be a deliberate action, or they may be the result of an employee being either tricked or not taking security seriously – either way they are dangerous.
Often attacks are a hybrid between an external threat and an insider weakness, for example the 2013 cyber-attack on US retailer Target. While the theft of 40 million payment card details itself was carried out by external hackers, they gained access by using the credentials of an insider.
Given that 90% of business leaders cite data as one of the key resources for business, and the use of cloud computing to store company data continues to grow, the fallout from such attacks could worsen.
Deploying the right technology
Insider attacks are difficult to spot. They aren’t usually brute force attacks on your security, and attackers may disguise themselves by posing as one of your employees. Alternatively, they may be the result of a deliberate action by a disgruntled employee, such as the one carried out by Edward Snowden against his employers in the US government.
Ultimately the people who you trust with access to your networks and sensitive information are the way in – and that means you need to combine preventative measures with detection.
Preventative measures include strict admin access controls, good security architecture with zoned areas separated by firewalls, and control over access to shared files. Your detection measures should be similar to your external-facing ones, including the monitoring and auditing of access logs, and intrusion detection systems.
Of course, technology is only half the solution, and tends to treat the symptoms rather than the root cause of the issue. The other half falls outside of the IT department.
Encouraging a culture shift
CIOs and CISOs need to work closely with the HR department to address internal security from a culture perspective. Employees should be proud of being secure, and everyone should have a sense of responsibility.
Employees who remain vigilant, question strangers and employ a “better safe than sorry” mentality, are as good a line of defence as any firewall, and may well discourage would-be thieves at the first hurdle.
Awareness is key, so sharing anecdotes about near misses and incidents in the past is a good way of preventing them in the future. By having security at the forefront of all employees’ minds, it will increase their sensitivity, making them more aware of potentially harmful email links and attachments, and sophisticated social engineering attacks.
Encouraging an active dialogue is crucial too, and employees should feel as though they can speak up if there’s something they’re not sure about without fear of reprisal. Too often when organisations conduct a review of what went wrong after an insider incident, a manger will say, “I thought there was something suspicious about him/her.”
Managers should be trained to have the confidence to highlight these signs so that multiple indicators are identified as a risk and steps taken to mitigate before an incident occurs.
Of course, good information security policies and processes come into play here too: change management, segregation of duties and information handling, combined with things like robust recruitment vetting checks, will help curb attacks.
A wholly different beast
If an external attack is a “brute force” approach that is entirely out of your control, insider attacks tend to be more nuanced, often focussed on gaining or abusing the trust of employees and contractors.
When prevention and detection are combined with regular face to face training and a good culture – one which views security as an asset to be proud of and has the flexibility to move with the business, rather than a set of rules that may be viewed as obstacles that get in the way – a business puts itself in the best position possible to ward off such attacks, and lay the foundations for a safer future.