In today’s digital environment, businesses face a daily struggle against a host of maleficent cyber threats, ranging from evolving malware to phishing scams.
But the biggest and most malicious threat originates from within. The hundreds of thousands that organisations spend on prevention, detection and incident response security solutions can be undermined by a single employee: the insider threat.
This internal compromise can take the form of intentional sabotage or an unwitting mistake, of which the latter is the most common. Last year, research from cyber security firm Imperva found that insider threat events were found in 100% of the business environments it surveyed. The problem is endemic and incredibly hard to detect.
To illustrate this, Rob Sobers, director of Varonis, tells Information Age a compelling story about a certain Greg Chung: ‘He worked for Boeing for 30 years, and during that period he stole $2 billion worth of sensitive documents and sold them to China. When the FBI finally caught up with him, they found 250,000 sensitive aerospace documents buried beneath his home. He was sentenced to 16 years in prison. This case really illustrates how long an insider threat can persist undetected.’
The insider threat, the traitor within the ranks or the unwitting rogue represents one of the greatest challenges to businesses trying to stave off a constant barrage of cyber attacks and corporate espionage. But why is this problem so common? To what extent can they damage an organisation? And how can businesses protect themselves from a seemingly undetectable peril, while maintaining employee trust?
These questions will be addressed throughout this piece.
Defining the rogue employee, one would think, is quite simple: a malicious individual intent on undermining his or her company for personal or professional gain. Rick Orloff, CSO at Code42, says, ‘[Such attacks] represent purpose-driven action on the part of insiders to act in direct opposition to the interests of the organisation, whether for financial gain, retaliation or some other motivation.’
Indeed, there are a number of ‘obvious’ reasons why an employee goes rogue: selling trade secrets, advancing their career and even for the sheer thrill (although the latter might be slightly romanticised).
As an example, Bryan Campbell, senior security researcher and distinguished engineer, UK and Ireland, at Fujitsu, tells Information Age, ‘We have recently identified active recruitment of ATM engineers to install malware on systems to intercept transactions.’
However, the nature of the insider threat is complex and can take the form of a variety of individual intentions or mistakes, as Campbell considers. He says that compromised information originating from within an organisation falls into three main categories: unthinking error, well-intentioned workarounds and deliberate malice.
Unthinking errors refers to a lack of concentration resulting in an external data leak from an internal source. This type of insider threat is exposed by external criminals who specialise in phishing email scams, for example.
‘Well-intentioned workarounds,’ says Campbell, ‘are an often overlooked risk. An employee might need to edit a sensitive document overnight, and send it to their private webmail address to work on at home. This is deliberate but not malicious, yet it is a risk.’
The final category, deliberately malicious users, on which this piece is mainly focused, are those who seek to cripple a company based on the variety of reasons already mentioned. Campbell offers some interesting industry insight into these unscrupulous characters and suggests that they never go bad suddenly.
‘They typically spend at least 30 days demonstrating behavioural traits such as data manipulation or theft or unexplained changes to working patterns, complaints to or about colleagues, threats, sudden increases in security breaches and accessing parts of the network they do not need to.’
Access all areas
Regardless of intent, the danger posed is great, because the access these renegades have within an organisation means that they can sell or leak data with relative ease, intentionally or otherwise.
They can even manipulate other employees into providing them with data from privileged access points ‘above their pay grade’ from within a business. ‘Insiders can have very high or even unrestricted access rights to operating systems, databases and applications,’ comments István Szabó, product manager at Balabit.
Crucially, as Szabó identifies, ‘malicious insiders hold an advantage over a company’s primary security tools, because these tools are designed to protect against external threats, not against trusted employees’.
Despite the infamous Edward Snowden leaks, security protocols in many organisations, for the most part, are not designed with the insider threat in mind.
According to a report commissioned by Splunk and IDC, only 12% of businesses reported insider threats as being of high concern for their company, and only 27% were worried about poor end-user security practices.
Indeed, the report suggests that some organisations have no approach at all for detecting the activity that leads to accidental breaches. Most employees have relatively easy and legitimate access to computer systems as part of their job. It is this detailed understanding and access to their own company’s network, and the hapless attitude to malicious insiders, that gives an internal threat the upper hand when, first, stealing (or unwittingly releasing) information and, second, evading capture or detection.
Working alone in the pursuit of undermining your organisation is criminal, to say the least. But, duping a fellow, faithful employee into handing over a desired password or set of data goes beyond what could be considered cruel.
The insider rogue’s moral compass is drastically skewed. David Venable, VP of cyber security at Masergy, explains to Information Age that a malicious insider will ‘trick’ another employee into providing him or her with sensitive information.
So, why is this threat so common that it pervades nearly all organisations, if not every one? The answer seems to be twofold. For the unsuspecting insider threat, a lack of security training and awareness – and, perhaps, general naivety – opens their organisation up to an incident. For the malicious insider threat, the ease with which information and data can be obtained is the crucial factor.
Financial incentives from rival organisations may be so great that employees simply think: why not? Loyalty, it appears, is dead.
Moving up the agenda
The priority that organisations are now placing on security in general is increasing. The problem is no longer an IT concern, but a business-critical issue, precipitating from the top down.
This recognition is illustrated by IDC’s prediction that information security spending will top $101 billion by 2020.Investment alone, however, will not be able to halt the seemingly unstoppable march of the insider threat. This is mainly because of the unparalleled access to and knowledge they have of an organisation’s network.
It is not impossible, though, and like the reason why the threat is so common, preventative measures are twofold. First is mitigating the risk from the unwitting rogues. Education is crucial in mitigating this type of insider threat.
This can be provided through an extensive and regular security training awareness scheme.
‘Regularity of training is important,’ highlights Bryan Lillie, chief technology officer and head of cyber security at QinetiQ. ‘Frequent or refresher sessions containing updates on recent incidents, near misses, policy/procedural changes and threat profile changes are highly effective at drawing attention to the importance and relevance of the topics.’
‘Use real-life examples. Studies have found that 94% of staff changed the way they thought about security after hearing a story about an incident, and 52% changed their behaviour.’
In going about disrupting this security vulnerability, it is important to maintain employee trust: the vast majority will not inexplicably make a mistake leading to a loss of data, and even fewer will intentionally undermine a company. In this regard, data classification is essential.
Matthew Bryars, CEO and co-founder of Aeriandi, agrees. When handling sensitive personal information, for example, run it through a secure payment platform, Bryars advises. ‘This means that agents can see that the transaction is taking place but, crucially, have no visibility of customer data. With no sensitive data taken, processed or stored on-site, the insider threat is completely removed.’
‘Organisations can implement these systems while maintaining employee trust, as they protect the agents themselves from potential criminal coercion and human error.’
The second set of preventative measures target the malicious insider. This is more complicated. It requires a bolstering of internal defence protocols and the implementation of identity access management. Gert-Jan Schenk, VP international at Lookout, even suggests an employee monitoring solution, although this could jeopardise employee trust.
Matt Middleton-Leal, regional VP for the UK, Ireland and Northern Europe at CyberArk, echoes his contemporaries’ view and believes that in order to truly neutralise the malicious insider organisations should monitor employees: ‘To effectively protect against insider threats, organisations should minimise user privileges to reduce the attack surface, lock down privileged credentials, and control and monitor privileged accounts, which are consistently targeted by advanced insider and external attackers alike.’
This view reveals that mitigating the insider threat is possible. It is time consuming and expensive, but it is possible. However, with this approach to seeking to identify and stop a traitor in the ranks, it appears that employee trust must be overlooked.
‘Surveillance’ is key in defending an organisation from the data thieves that lurk within their ranks.