When I’m working with a client and the topic of cybersecurity arises they want to talk about attacks from Russia, North Korea or various organized crime entities. But did you know that these types of threats are not the most likely avenue from which you’ll have a breach in your cybersecurity? In fact they are WAY down the list of who’ll be the reason your security is compromised. Want to know the greatest threat?
Your own employees.
I’m not even remotely kidding. Studies show up to 75% of the threats to organizations come through internal users. The technical term for this is the insider threat. Most of these are not malicious, but they are caused by employees who make errors or don’t follow security protocols.
Did you know that a UK study showed that 52% of employees don’t see sharing their login credentials with other employees as a security threat? Or that 2,500 internal security breaches occur in business in the United States every day? Perhaps the fact that 62% of users themselves report that they have access to company data that they probably do not need is new to you.
But some ARE malicious.
Jason Needham left his job at Allen and Hoshall in 2013 to start his own company. For the next two years he repeatedly stole intellectual property from his former employer along with proposals to clients. He also accessed the email of a former colleague to get details about marketing plans and other critical data. How was he discovered? Not by the former employer, but rather when a potential client noticed the striking similarity of a proposal from Mr. Needham’s company to a proposal from his former employer. The result? Over $400,000 in stolen information and an 18-month jail sentence.
Christopher Victor Grupe was suspended and then fired from his job as a sysadmin at the US headquarters of Canadian Pacific Railway in Minneapolis, MN. Mr. Grupe worked with his boss to allow him to resign instead. Before Grupe returned his company laptop he logged back into the company network, connected to multiple switches, deleted admin accounts, reset password and destroyed critical files. Then he cleared logs and wiped his laptop drive in order to hide his actions. A couple of weeks later network issues began to appear and IT staff learned their credentials did not work. Systems went down, reboots were required and likely (in some cases) required a full reset and reconfiguration. Mr. Grupe was convicted after outside forensics experts were able to find proof of his access in the memory of the switches along with traces from his laptop. He was sentenced to 366 days in prison.
Neither of these criminal security breaches were directly detected by security controls in the organizations. Both required outside assistance to discover or resolve the issues related to the malicious attacks.
Here is the gist of the problem. Many organizations lack the proper technology and procedures to deal with the insider threat. In fact, in my experience working with clients, some openly admit that they don’t have available resources to even consider dealing with this issue and have a adopted a “we just have to trust in the skills and goodness of our people to not make mistakes or be malicious”.
With the vast majority of threats coming from our own staff, this is a very dangerous position.
What is the solution?
Your organization CAN address the insider threat, while still maintaining the ability of staff to do their jobs and not feel they are being watched every moment. Let me provide four essential areas to put this into practice:
Awareness and Training
Awareness comes in two forms: recognizing that the insider threat exists to apply resources to mitigation methods AND making all staff aware of their responsibilities in relation to security. Staff training should be in policies that are part of our overall security program based on a framework such as the NIST Cybersecurity Framework. Once we admit there is a threat we can add policies that specify the types of controls used to mitigate the threat.
Controls allow us to decrease or eliminate the threat using hardware, software, procedures and policies. Some controls are physical appliances such as proxies or firewalls. Others may be software that manage user access to internal and external resources. Procedures for requesting access to sensitive information or areas and polices for acceptable use are also powerful ways to secure our assets. Next, we need to consider the greater threat posed by our privileged users. Individuals and groups with administrative access or the ability to view and modify PII (personally identifiable information) require extra vigilance. We discuss all types of controls in our NIST Cybersecurity Framework courses and get into some very specific Microsoft controls in our Securing Windows Server 2016 course.
Auditing is the process of capturing and reviewing information. Some documentation divides this into two processes, accounting is capturing the information and auditing is the review stage. Either way, it is critical to both capture and review details of access to sensitive information, systems and locations by internal staff. Doing so allows us to know when someone has been granted more access than is required for their role but also provides the opportunity to discover unusual behaviors. These unusual behaviors could be indicative of an account that has been compromised by an external attacker or the actions of a malicious internal user. Solutions such as Microsoft’s Advanced Threat Analytics (ATA) product provide an incredible amount of actionable intelligence in an easy to understand format for just this purpose. ATA is also covered in Securing Windows Server 2016.
None of these areas is of any value if they are implemented with no human follow through. For medium to enterprise organizations, security data can be filtered through a Security Information and Event Management (SIEM) solution, for small businesses less complex solutions are available. Either way there will come a point where people must act on the possible security breaches. Many examples exist where security solutions provided clear notification of vulnerabilities and breaches, but humans failed to act. Equifax and Target made the need for security staff to always check into these events.
Perhaps the most overlooked yet dangerous group of individuals in relation to organizational security is the internal staff. Although nearly all mean well, accidents and errors happen, and a small percentage are truly malicious. A business or entity which does not create and maintain policies, procedures, controls, audits AND lacks a consistent record of follow through risks loss of reputation, trust, capital, business opportunities and possibly the survival of the organization itself.
None of us can afford to ignore this threat, yet many do. Don’t become a statistic in the growing list of cybersecurity failures. Protect your organization and staff by implementing proper internal security measures.