A hacker is not necessarily someone sitting somewhere in China or Russia trying to hack your bank account; it can be your employee or contractor too. Devin Smith explores the threat and looks at what organizations can do to reduce risks in this area.
Security technology is advancing to combat the latest hacking threats and techniques, but what about human behavior? That changes much more slowly. Today, the biggest danger isn’t a misguided genius exploiting a cutting-edge vulnerability — but someone in an organization making a mistake.
Hackers can be your partners, employees (current and former), contractors, interns, suppliers, and even customers.
I think that makes sense too - they know your network infrastructures, staff, business practices, applications, and often your revenues; we trust them the most. What happened if we trust our stakeholders more than they deserve? A malicious attack - destruction of data and/or applications, injecting trojans, overloading computer/network storage or processing capacity, stealing credit card information, and whatnot - on a network or computer system by a person with authorized system access.
There are so many business breaches that are performed by their stakeholders; do you remember Terry Childs - a network engineer for the San Francisco Department of Telecommunications and Information Services - managed to alter the city’s network passwords, locked access for 12 days, went to jail and held on $5 million bail.
So, what exactly is an insider threat?
The term ‘insider threat’ is used to refer to malicious insiders willfully stealing, damaging and/or exposing internal data or systems, but these (motivated by grievances or profit) are a small part of the total threat.
Companies face more serious threats from insiders inadvertently disclosing data or damaging cyber security. In some cases, a worker’s action comprises the entire breach.
What if an employee sends a confidential file to the wrong client, or loses a flash drive with sensitive information in a public place, or clicks on rigged links in emails, messaging apps and/or advertisements and invites hackers to surveil him/herself and the organization?
However, the most severe insider threats usually occur when employees and/or partners leave doors open to the bad guys — either via personal negligence, poor or inadequate security practices, or both.
Prevention is a must!
First, get to know all the possible threats that insiders could pose.
Sources of insider attacks
Most hackers are motivated by profit, not challenge. In such cases, they behave professionally - and look for poorly guarded valuable property.
From third-party apps to unpatched vulnerabilities to employees, unsecured software is the biggest insider threat to companies. We cannot ignore the complex organizational or infrastructure problems behind poor security. The problem gets worse when companies want their IT staff to do double duty as system admins, leading them overburdened, or not having enough expertise in systems administration.
Sometimes, organizations use legacy software that doesn’t support advanced features, such as strong encryption; even companies with updated software often store information in neglected data silos, that can serve as back doors for thieves.
And it’s not just core applications, even workers (particularly millennials) also pose vulnerabilities by adopting cloud apps to enhance mobility and productivity. Unfortunately, many such apps prioritize convenience over security; and automatically synchronize data even on an open connection without using encryption. A hacker sitting in a coffee shop could steal, alter, or destroy records, without the workers even knowing.
Having a mobile workforce other than a traditional office setting has lots of advantages, but security isn’t one of them.
It’s harder to secure mobile devices scattered around than it is to secure a row of office computers on a network. There are a huge number of ways employees can inadvertently conduct breaches using their personal devices. For example:
- Downloading malware;
- Hackers spying on WiFi;
- Losing devices, or having them stolen;
- Failing to adhere to the whitelist or technology-use guidelines.
Email accidents happen anytime with anyone, ranging from harmless to slightly embarrassing; you’ll autocomplete the wrong address; click ‘send’ before you’ve finished rewording a message; or you’ll hit ‘reply to all’ when you should send the message to one person.
But these mistakes become very serious when it’s happening within the business environment; one mistyped address can break compliance, leak a document, send a sensitive message to the wrong recipient, or worse.
Bad access practices
No matter how many times you warn them, people still screw up password safety.
A recent survey found that;
- 73 percent of accounts use duplicate passwords.
- 47 percent of users haven’t changed passwords in five years or more.
Imagine if an employee shares an easily-guessed password across different accounts, a hacker will get access to everything, by hacking a single account.
Other bad access practices that erode security are:
- Storing passwords in browsers on public computers;
- Forgetting to clear the browser cache after using public computers or WiFi;
- Leaving systems logged in and unsupervised;
- Jumping online on public WiFi;
- Keeping passwords in unencrypted documents.
You cannot stop people from being careless, but you can mitigate the risks:
An insider threat mitigation strategy
Here are some tips to help you; some of them might be complex and costly, but others are simple to practice.
- Use Google Apps security tools to enforce multi-factor authentication or any other business productivity suites with similar functionality. Enabling multi-factor authentication will be a hassle or time-eating, as employees have to enter both their password and a code (sent to phone) every time they log in. Even if a hacker guesses the password, they won’t be able to access without the phone code.
- You need to implement a strong password policy, requiring employees to use 12 or more characters; using a statement rather than words would make the password impossible to guess.
- You should also promote frequent password changes — ideally once every ninety days — to reduce the likelihood of hackers breaching your employee’s account.
- Being an employer, you need to carefully weigh the benefits of remote-working against the risks, and take actions to mitigate possible vulnerabilities.
- Organizations subject to CJIS compliance rules may wish to ban personal devices and issue official devices with security controls.
- The flow of information needs to be restricted – determine what information can be accessed outside of the office and require employees to use the organization’s network to access sensitive data.
- Companies need to adequately train and supervise workers in technology usage, enforcing security practices, and monitoring employees’ accounts for unauthorized access and violations of policy.
- In the case of remote access, organizations need to implement mechanisms to motivate employees to quickly report stolen devices or suspected breaches from anywhere, without fear of reprisal.
- Companies also need to employ encryption and access control to limit the damage of a successful breach.
- On the administrative end, companies need systems-audit, updated software, and regular patching.
- Legacy systems need to be migrated to modern systems; if not feasible, they should be insulated from outside access as much as possible.
- For employees and contractors, strictly control app usage; enforce a software whitelist to prevent breaches from low-security apps.
- Combined with password hygiene and access control, encryption can also make breaches less likely, and limit the information a successful hacker can access.
If you don’t want any of your assets, especially employees, to become a disaster, then take the insider threat issue seriously.
About the author
Devin Smith is a tech-mech by profession and IT security analyst at AllBestVPN.