It may be the largest cliche of the industry that the biggest, or at least most common threats will come from inside your organisation. Perhaps Mark in accounts is the only one stupid enough to open the email from a guy who apparently found eight million dollars in a suitcase and wants to share it with him. Linda has long forgotten everything in the data protection workshop that you shelled out for and has gone on to share the personal details of 10,000 customers with a friend. For some reason.
It could also be Steve. The one who spends all day on Facebook and is surprised now that he's been fired. And, as it happens, he's left something nasty on your servers.
Any of these situations will not seem particularly strange for the already initiated. Now, no one can avert their gaze. Chances are you will be breached if you haven't yet and chances are that breach will have something to do with one of your beloved staff.
Email is still the top vector for attacking organisations, with cyber-criminals relying on the good faith of the employees, a troubling number of whom go ahead and open those nefarious messages.
A report released by Nuix late last year showed that most executives felt that fallible human behaviour was the most worrying attack vector. The list of industry giants felled by the good or bad intentions of one small employee in the corner office of a marginal department need not be listed here.
Certainly, the great and good of the industry have leapt to the challenge in trying to tackle the technological problem of insider-threat; micro-segmentation, email level solutions, training programmes all have mobilised an admirable resistance against this nebulous danger.
Fewer have attempted to deal with the problem at source. What drives people to compromise their own employers? In these pages, we attempt to answer that question and perhaps, unpack the human aspects of what may be the largest threat to cyber-security in town.
The Enthusiastic One
The truth is, good intentions have sunk as many ships as bad ones. Employees who just want to do a good job can often be the enterprise's weakest point.
Security protocol is cumbersome; it slows people down and for reasons that are rarely intelligible for anyone outside of the IT team. So it seems to make sense that someone merely wanting to do a good job finds a way to overcome the limitations of company IT by introducing an app they've read about.
Whaling also appears to be effective here. A cyber-criminal will impersonate a CEO or other official with either more seniority than the target victim, or relevant authority, then they contact the victim saying that they urgently need a tranche of data or sum of cash transferred.
Commonly, the message is imbued with too much urgency for the person to stop and consider what they are doing. Before long that cash is making its way through a series of accounts into the pockets of the phisher. That kind of example will be keenly remembered by companies like BitPay, which fell for such a scam late last year, losing roughly £1,500,000.
“Unlike external threats, employees are a trusted group - we've already let them into our buildings and onto our systems, giving them privileged access to data that the public don't have,” Mark Ridley, director of technology at Reed.co.uk told SC, “Also unlike external threats, we can't assume that their actions will be malicious - in fact, we have to assume that they are well intentioned, but yet still be prepared for any one of them to become abusive.”
“This might be employees who upload files to their own Dropbox account to keep working at home at the weekend, share slide decks by email with external consultants, or even purchase
new services on their own credit cards to make their work more efficient. Unthinkingly, and with good intentions, data is leaking and back doors are being opened up by these staff.”
The Clueless One
Maybe they haven't been listening. Similar to those with good intentions, those that fall under this heading are not aware of the damage they're doing. They simply don't understand why they can't use Dropbox to send files at work nor the dangers of sharing private company information to their personal account.
Or it could just be an inevitable mistake, something which training will never be able to completely educate out. Earlier this year, the Information Commissioner's Office fined a health clinic nearly £200,000 after someone copied the names of hundreds of HIV positive patients into an email.
It's not uncommon. A study by Intralinks and Ponemon showed that 61 percent of respondents accidentally shared files with unauthorised individuals.
But this kind of oversight extends far further than merely putting the wrong recipient in an email. The holes within any organisation are often far smaller and numerous than most imagine. One can find a trove of information about a workplace by merely mining the social media of its employees. LinkedIn can give any possible attacker an idea of the capabilities of an organisation, handing them not only the skills your company can bring to bear, but the technologies they use.
“The old adage ‘Loose lips sink ships' definitely applies to many organisations' social media policies today,” Travis Smith, senior security research engineer with Tripwire told SC,
“we know confidential information is inadvertently leaked out by well intending users across multiple social channels all the time. Everything from company jargon and internal network data is available in a wide variety of social media.”
The Angry One
This is perhaps the one that can do the most damage because after all, they mean to.
That realisation must have occurred especially pungently to the supermarket chain Morrisons.
In 2014, the supermarket lost the payroll details of 100,000 of its employees, costing the company at least £2 million, not to mention its dignity. This is all, of course, leaving out the lawsuit that thousands of employees are currently bringing against the company for improperly handling their details.
The angry one in question resided in a small, perhaps overlooked corner of Morrison's. Andrew Skelton, an IT auditor who had been formally disciplined for delivering his eBay wins to the office.
Management suspected drugs and disciplined him. Needless to say he was not happy and before long he leaked the details of his 100,000 colleagues to national newspapers and uploaded the data to Pastebin, for all the cyber-underworld to see.
In his resignation letter, he reportedly wrote, “I have almost as little concern for the company as it does for me.” The fact that Skelton later received a sentence of eight years, did little to return the company's dignity or the employees their data.
The Sly One
There are even some who, on leaving the last job, are looking for a golden handshake when they get to the next. Corporate espionage is more common that one might think so it should come as no surprise that this is an area that private agents or competitors might seek to exploit.
In fact, there have been plenty of cases of employees stealing client lists from a previous employer, only to hand it over to a new boss. Hanjuan Jin, a software engineer at Motorola for nearly a decade, was caught by US authorities in 2012 for exactly this kind of behaviour. Jin had 1,000 confidential documents on him when he was arrested by US Customs trying to get on a plane to Beijing. According to some sources, those documents represented US$15 million (£10.5 million) in industry secrets.
This kind of threat has been known to be particularly pronounced in finance, insurance and private medicine; sectors where turnover of staff is often fast and loyalties are often transitory.
“The worse ones are where the directors of the company actually split,” said Steve Armstrong, founder of Logically Secure, recalling a recent incident he had witnessed. One company, “had a director who left the company and because he was a shareholder he was still getting profits from a company that he was a competitor against”.
But what to do about any of this? Clearly, workforce education and technological solutions have to be implemented but they only go so far.
Smith offered some advice. You need to get an idea of what data is already out there, “You should regularly scan your website and social media channels, particularly LinkedIn to see what's out there and how it might be used against you.”
“Once you know what kind of data is leaking you'll be better prepared to improve your employee training and social policies to be more specific about what kind of data disclosures are unacceptable.”
Norman Shaw, CEO and founder of ExactTrak thinks there's a larger solution to this: “It comes down to making them responsible for their actions and that is one thing that companies are very bad at doing.”
But holding employees responsible for their mistakes means they also must be held responsible for their successes, added Shaw: “I think it's a question of a carrot and stick approach, starting right at the top of the company.”
Perhaps a periodic IT service check might work. An IT department can look at employee's company devices every so often to see if any files have been taken off or improperly moved.
A good check-up might contribute towards a bonus, incentivising employees to follow company data policies.
When it comes to malicious threats, even though they're rare, a slightly more restrictive policy might do. “You have to say to yourself, is it absolutely essential that you allow this data to be downloaded at all”, said Shaw.
That means, “...you either have to withhold the data altogether or have it so it is not easily transferable”. Steve Armstrong thinks it's important to start, “...getting away from this machine-based concept,” the idea that insiders are best dealt with by a computer.
“You need to start to get analytical software to show what the user is actually doing,” said Armstrong. That amount of data that's going to and from a user's workstation can tell you lots. Have they made any large downloads? Are they syncing the whole repository to their machines? And have they done any of this before? These questions can arm an organisation against the enemy within.
Also, concluded Armstrong, “See who's looking at job sites.”