We all know about the 2013 cyberattack on Target, in which criminals stole the payment card numbers of some 40 million customers and the personal data of roughly 70 million. What’s less well known is that although the thieves were outsiders, they gained entry to the retail chain’s systems by using the credentials of an insider: one of the company’s refrigeration vendors.
Insiders can do much more serious harm than external hackers can, because they have much easier access to systems and a much greater window of opportunity. The damage they cause may include suspension of operations, loss of intellectual property, harmed reputation, plummeting investor and customer confidence and leaks of sensitive information to third parties, including the media.
Many organizations admit that they still don’t have adequate safeguards to detect or prevent attacks involving insiders. One reason is that they are still in denial about the magnitude of the threat.
AN UNAPPRECIATED RISK
Insider threats come from people who exploit legitimate access to an organization’s cyberassets for unauthorized and malicious purposes or who unwittingly create vulnerabilities. They may be direct employees, contractors or third-party suppliers of data and computing services.
According to Vormetric, a leading computer security company, 54% of managers at large and midsize organizations say that detecting and preventing insider attacks is harder today than it was in 2011. What’s more, such attacks are increasing both in number and as a percentage of all cyberattacks reported: A study by KPMG found that they had risen from 4% in 2007 to 20% in 2010. Our research suggests that the percentage has continued to grow. In addition, external attacks may involve the knowing or unknowing assistance of insiders.
CAUSES OF GROWTH
+ THE SIZE AND COMPLEXITY OF INFORMATION TECHNOLOGY. Do you know which individuals are managing your cloud-based services, who cohabits those servers with you, and how safe the servers are? How trustworthy are those who provide you with other outsourced activities, such as call centers, logistics, cleaning, HR and customer relationship management?
“Dark Web” sites, where unscrupulous middlemen peddle large amounts of sensitive information, now abound. Everything from customers’ passwords and credit card information to intellectual property is sold on these clandestine sites. Insiders are often willing to provide access to those assets in return for sums vastly less than their street value, contributing to the “cybercrime-as-a-service” industry.
+ PERSONAL DEVICES. Increasingly, insiders – often unwittingly – expose their employers to threats by doing work on electronic gadgets. According to a recent Alcatel-Lucent report, some 11.6 million mobile devices worldwide are infected at any time, and mobile malware infections increased by 20% in 2013.
+ SOCIAL MEDIA. Social media allow all sorts of information to leak from a company and spread worldwide, often without the company’s knowledge. They also provide opportunities to recruit insiders and use them to access corporate assets. The so-called romance scam, in which an employee is coaxed or tricked into sharing sensitive data by a sophisticated con man posing as a suitor on a dating website, has proved to be particularly effective. Other strategies include using knowledge gained through social networks to pressure employees: A cyberblackmailer may threaten to delete computer files or install pornographic images on a victim’s office PC unless the sensitive information is delivered.
HOW TO MANAGE THE PROBLEM
+ ADOPT A ROBUST INSIDER POLICY. This should address what people must do or not do to deter insiders who introduce risk through carelessness, negligence or mistakes. The policy must be concise and easy for everyone – not just security and technology specialists – to understand, access and adhere to. The rules must apply to all levels of the organization, including senior management.
+ RAISE AWARENESS. Be open about likely threats so that people can detect them and be on guard against anyone who tries to get their assistance in an attack. Customize training to take into account what kinds of attacks workers in a particular operation might encounter. It is possible to test your staff’s vulnerability to such attacks – either on your own or by employing an external security service.
Encourage employees to report unusual or prohibited technologies and behavior, just as they would report unattended luggage in an airport departure lounge.
+ LOOK OUT FOR THREATS WHEN HIRING. It is more critical than ever to use screening processes and interview techniques designed to assess the honesty of potential hires. Examples include criminal background checks, looking for misrepresentations on résumés and interview questions that directly probe a candidate’s moral compass. During the interview process you should also assess cybersafety awareness.
+ EMPLOY RIGOROUS SUBCONTRACTING PROCESSES.
Ask potential suppliers during precontractual discussions about how they manage insider-related risk. If you hire them, audit them regularly to see that their practices are genuinely maintained. Make it clear that you will conduct audits, and stipulate what they will involve. A company might require of suppliers the same controls it uses itself: screening employees for criminal records, checking the truth of job candidates’ employment histories, monitoring access to its data and applications for unauthorized activity, and preventing intruders from entering sensitive physical premises.
+ MONITOR EMPLOYEES. You cannot afford to leave cybersecurity entirely to the experts; you must raise your own day-to-day awareness of what is leaving your systems as well as what is coming in. That means requiring security teams or service providers to produce regular risk assessments, which should include the sources of threats, vulnerable employees and networks and the possible consequences if a risk becomes a reality. You should also measure risk-mitigation behaviors, such as response times to alerts.
Often routers or firewalls can monitor outgoing channels, but you should make sure that the functionality is activated. If you don’t have the equipment to monitor outgoing traffic, buy it. You must also log and monitor other means of exfiltration – USB flash drives and other portable storage media, printouts and so on – through spot checks or even permanent, airport-style searches of people entering and exiting your buildings.
The most effective strategy for defusing the cyberthreat posed by insiders is to use the protective technologies available and fix weak points in them, but focus ultimately on getting all insiders to behave in a way that keeps the company safe. People need to know what behaviors are acceptable or unacceptable. Remind them that protecting the organization also protects their jobs.
(David M. Upton is the American Standard Companies professor of operations management at Oxford University’s Saïd Business School. Sadie Creese is the professor of cybersecurity at Oxford and director of its Global Cyber Security Capacity Centre. Upton and Creese are principal investigators in the Corporate Insider Threat Detection research program.)
