Exclusive: The cybersecurity risks of insider activity

The damage associated with falling victim to a cybersecurity-related incident are myriad. A data breach can lead to customer personal data being discovered by threat actors. Malware can facilitate a number of illicit activities. Ransomware is the most visible demonstration of malware infecting a company. After falling victim, organisations must pay or lose their data and it’s becoming more common for that data to first be exfiltrated and then encrypted for ransom

When someone pictures a hacker, the image of a shadowy, hooded and unkempt young man might come to mind. However, the malicious insider could be anyone. Insiders can pose just as great a cybersecurity threat to organisations as outsiders. Shifting a focus inward can help companies reduce this risk. There are several categories of insider threats that we will address in this article.

Inadvertent threats

Employees are a huge link in the chain of compromise in cybersecurity. They are such a threat because the average employee might be uninformed about what is expected from them from a cybersecurity perspective. Activities like visiting unauthorised websites can infect computers. Plugging in unknown USB devices can infect computers.

Even IT-knowledgeable employees can pose a threat. Misconfigured systems and software can inadvertently leak private information or allow access.

Phishing emails are one of the most common and damaging threat vectors to employees. Some signs of a fraudulent phishing email are:

• The offer in the message is too good to be true.
• The message has typos or odd grammar.
• The person messaging is making the situation seem extremely urgent.
• The person is asking for a password or other sensitive information.
• Logos or other elements in the message are low quality or wrong.
• When asked for a phone call or other means of confirmation, the person does not agree.

The above signs are present in conjunction with social engineering techniques. Social engineering plays into why people fall for phishing emails. The threat actor is trying to manipulate the vulnerable employee.

Reduce the risk: Continual training can lessen the insider threat. KnowBe4 is a company that specialises in phishing exercises and cybersecurity awareness training. Look for the warning signs above and encourage employees to take a careful look at things before clicking links or taking actions. Create an Acceptable Use Policy (AUP) to document this all clearly.

For both inadvertent and intentional threats, a Managed Security Service Provider (MSSP) can be used to monitor and manage tools used to detect and prevent negative activity.

Shadow IT

Shadow IT is a term for the unofficial technology work-arounds and systems that members of a company use to get things done. Shadow IT could even consist of temporary or unapproved items that some members of IT unofficially allowed. In recent years, more free or low-cost Cloud applications adopted by employees also are Shadow IT as well. The harm caused by shadow IT is also an inadvertent threat.

The threats associated with Shadow IT include:

• Lack of updates: IT staff have a regular cadence of updates and policies. Without knowledge of what systems are being used, they cannot be regularly and systematically updated.
• Compliance: If personal data or other information exists in a system that is not secure or regularly maintained, it could be breached. Breaches and lack of data control have ramifications for compliance.
• Security: The systems being used have not been vetted by the proper people. The software might be inherently insecure.

Reduce the risk: Companies can inventory their assets and software in order to start understanding what is connecting to the networks. Cloud Access Security Brokers (CASB) can monitor and mitigate the risk of Cloud applications. NetSkope is a provider of a popular solution that helps reduce risk of Shadow IT with a CASB. At the core of the issue, IT and operations leadership need to understand why these unapproved applications, SaaS and activities are being used and find approved solutions to accomplish the goals.

Malicious insiders

The Department of Homeland Security (DHS) has guidance related to insider threats. They say that “insider threats, to include sabotage, theft, espionage, fraud and competitive advantage are often carried out through abusing access rights, theft of materials and mishandling physical devices.” Trade secrets and other information are incredibly important. This risk is to not just the digital infrastructure, but also the business itself.

According to the DHS, signs that an employee is engaged in malicious insider activity include:

• Remotely accesses the network while on vacation, sick or at odd times
• Works odd hours without authorisation
• Notable enthusiasm for overtime, weekend or unusual work schedules
• Unnecessarily copies material, especially if it is proprietary or classified
• Interest in matters outside of the scope of their duties

The reason for internal espionage can run the gamut. A disgruntled employee may seek to sew chaos. A competitor or even a foreign government might pay for secret information, which could be gained by installing malware.

Reduce the risk: Give employees a non-threatening way to report suspicious activity to the appropriate person. Make sure your employees are granted the proper level of access. For example, an intern should not have access to the payroll system. Tools can monitor who is accessing what systems at what time. If an employee is accessing sensitive material at off hours, that could be a reason to investigate what the employee is doing.

By Bill Bowman, Director of Marketing, North America at Cipher, a Prosegur company