I'm sure, at some point, you've all been asked what mischief you would get up to if you were invisible for a day. Or what if you could time travel? In the digital era the equivalent might be to ask what would you get up to if you had advanced cyber-skills. Would you snoop on your employer if you could?
Every office worker knows that you can't just access any company data you want to get your hands on. Confidential company files are locked away from the eager eyes of curious employees: out of sight and out of mind. Access to information is limited, whether it's private emails between colleagues, company financials, your colleagues' salaries, performance reviews or embargoed information about new products and services. But if you were given the opportunity, what company systems or online accounts would you want to access? What would be the most coveted information?
CyberArk's recent poll of 1,000 office workers revealed that even the happiest workers would be tempted to access sensitive company information - if they knew they wouldn't get caught. In fact, over half (52 percent) of workers surveyed would browse off-limits company data - from other colleagues' salaries to conversations about themselves and HR information.
Spying on company data is one thing, but we know that cyber-criminals are increasingly going one step further than stealing data and altering information on servers and databases. Given the opportunity, everyday office workers would follow in hackers' footsteps and alter information on their company's system - if there would be no repercussions for themselves. The motives for this primarily revolved around time and money, with almost a third (31 percent) wanting to treat themselves to a pay-rise and one in five (19 percent) allocating extra holiday days to themselves.
Why stop at your own company?
Our research found that nearly a quarter (23 percent) of people would book themselves free holidays or add funds to their bank accounts. Others would take on the role of ‘hacktivists', with political motives ranging from putting a stop to immoral companies to glancing at confidential government intelligence to making changes to the law.
The immorality of the act is not a problem for over one in five (21 percent) employees, who say it is their technical ability, not conscience, holding them back. And, we found that very unhappy employees twice as likely to access company information than very happy employees. With the average person's cyber-skills improving all the time, businesses must be more aware than ever of the insider threat. This includes having systems in place to monitor and stop unwanted insiders in their tracks in order to protect their most valuable information.
The real cyber threat
By considering what we as ordinary people would do if we had advanced cyber-skills, we can only begin to imagine the chaos professional cyber-criminals could cause if they were able to access a company's systems – undetected – and attack the heart of the enterprise.
While these findings highlight the potential mischief that employees can get up to without proper access controls, it's also an important reminder that insiders – or cyber-attackers posing as insiders – pose one of the greatest security threats to organisations today. If more than half of everyday workers would be prepared to access sensitive data, it's not hard to imagine the damage a cyber-criminal with advanced skills and malicious intentions could cause. They have no loyalty to the company, and are more likely to be driven by financial or political motives over innocent curiosity.
So, what can organisations do to stay in control?
· Take a close look at the business. The number of high value application and admin accounts that businesses have on their network is often hugely underestimated. Every single one of these needs to be closely managed and secured to ensure that they don't become a point of vulnerability.
· Basic controls are still essential, including creating one-time passwords, automatically changing them on a 30 or 60 day cycle, and putting controls to ensure passwords are as complex as possible
· Collaboration is a buzzword every business hears day in day out, but its importance cannot be understated. Discussing experiences and sharing learnings and best practice with industry peers is one of the best ways to ensure everyone is kept up to date with the evolving threat landscape.
The basic rule in defending against malicious insiders is to address the threat, not the individual. Privileged access – not people – is the true insider threat. The process of securing privileged accounts should be on-going with continuous evaluation and adjustments to improve security as the business and threat landscape changes. By giving the right users the right access at the right time, organisations can keep confidential information locked down.Contributed by David Higgins, director of strategic accounts, EMEA, CyberArk
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.