Across Europe, boards and c-suites are on a cyber security learning curve that’s leading them to learn much about the nature of threats their organisations face, as well as some incidental home truths about how line management styles can feed into security problems. One discovery that will certainly cause surprise is that many of the most damaging security threats don’t come from offensive outsiders or malware attacks, but from ‘trusted’ employees – malicious or negligent, or both. Indeed, insider threats that emanate from within the workforce can pose a more formidable challenge to their security ‘posture’ than external attackers like cyber criminals (in some cases the perpetrators will be both).
Studies suggest that the margin of difference can be as much as 10% greater for insider threats. Such threats include clumsy contractors and disaffected staff who deliberately cause problems motivated by revenge and other grievances. Last year security vendor Clearswift commissioned a survey of 600 business decision makers and 1,200 employees across the UK, US, Germany and Australia about June 2017’s WannaCry ransomware attack.
A key finding was that 29% of UK firms polled intend ‘to add cyber security to the boardroom agenda’, and 29% of companies worldwide have also ‘pledged’ to implement ‘stronger cyber security measures’. As the c-suite changes its approach to cyber security, organisations ‘will need to look at how they update their policies, procedures, and technology to mitigate against future attacks, as well as prepare for the introduction of new data regulations that are on the horizon’, the Insider Threat Index 2017 revealed.
But although the insider threat is has become more widely recognised, not enough resources or discussion is given to risks that originate from within, believes Andy Kays, Chief Technology Officer at Redscan. “When you consider the stakes involved, the insider threat is certainly not taken seriously enough,” says Kays. “A rogue IT system administrator, say, can bring a business to its knees.”
When you consider the stakes involved, the insider threat is certainly not taken seriously enough… A rogue IT system administrator, say, can bring a business to its knees.
Another study, he 2018 Insider Threat Report from CA Technologies, is based on the results of an online survey of 472 cyber security professionals who range from executives and managers to senior IT security practitioners. They represent organisations of varied sizes across all industries. Forty-three per cent of the sample comprised respondents identified themselves as functioning at director or vice president level within their organisations. The report’s key findings included the fact that 90% of organisations polled ‘feel vulnerable to insider attacks’, but for different reasons.
Tellingly, 51% of respondents to the Insider Threat Report were more concerned about accidental/unintentional data breaches perpetrated by insiders, as compared to 47% whose concern was more for malicious/deliberate insider action (i.e., willful causes of harm). The repercussions of this threat shift from external to internal security could prove significant for the senior executive and IT leaders alike. IT practitioners have warned of a likely upsurge of insider risks for years, but it’s only comparatively recently that research-based analysis has validated these concerns and provided a more informed understanding of how the spectrum of insider risk factors play out.
Many organisations have been slow to acknowledge the existence of insider threats. That’s not necessarily because they are in denial. In recent years, information security teams have had their work cut-out fending-off relentless external threats, and this has been their principle priority. With stretched IT budgets since the 2008 economic downturn, they may well have lacked the software tools necessary to detect internal threats as they have become more of a problem.
Some 53% of respondents to CA Technologies’ Insider Threat Report confirmed some form of insider attack had taken place against their organisations had taken place in the previous 12 months (typically, fewer than five attacks). And 27% of organisations polled by CA researchers say attacks have become more frequent, although that could also be because organisations are better at incident detection.
Other research from the Ponemon Institute, meanwhile, indicates that the number of attacks by criminal and/or malicious insiders may be leveling out. According to its Cost of Insider Threats report (co-sponsored by ObserveIT), of 3,269 reported attacks analysed in its sample, criminal or malicious insiders caused 748 attacks (or 23%). These incidents came on top of those caused as a result of ‘negligence’ on the part of employees (permanent or temporary) or contractors.
Both the Ponemon Institute and CA Technologies findings suggest that the cost of incidents varies according to organisational size. Large organisations with a headcount of 75,000+ employees spent an average of $2,081m over the foregoing year to resolve insider-related incidents. To deal with the consequences of an insider incident, smaller-sized organisations with a headcount below 500 spent an average of $1.80m. Companies within financial services, energy/utilities and industrial/manufacturing, incurred average costs of $12.05m, $10.23m and $8.86m, respectively.
Furthermore, respondents to the CA Technologies findings report that despite being fewer in number, malicious and/or deliberate insider attacks are in fact more damaging to their organisations (31%) compared to external attacks (14%), and accidental/unintentional (11%).
MODELS OF EMPLOYEE TRUST
That much insider threat risk stems from trusted and trustworthy employees who cause security problems inadvertently – either by accident or by unwittingly aiding and abetting an external threat attack – bears reiteration. The number of ways ostensibly reliable employees can compromise IT security are manifold. They can accidentally invalidate system data by deleting it, corrupting it, or moving copies outside of the enterprise digital security perimeter by copying them to cloud-based services (such as Dropbox) or just attaching the wrong file to an email sent to the wrong recipient. Minor mishaps perhaps, compared to a British Airways-scale breach, but a risk nonetheless. And these same employees (including senior managers) are being targeted by phishing attacks and other attempts to dupe them into revealing access privileges (passwords) or let loose ransomware onto the enterprise network.
“Accidents happen – even the most loyal employee is capable of making a mistake,” says Heather Scallan, SVP Global Human Resources at NTT Security. “The type of threat posed by employees differs according to a number of factors. Accidentally cc’ing a competitor on your company’s profit-and-loss statement could easily happen when the autofill function is left on, and 10 contacts in your email address list have similar first names. The question is, how do you deal with these everyday security mishaps? And what steps can you take to decrease their likelihood?”
One tactic is to adopt a hardliner policy toward risk assignment. “For too long businesses have trusted employees on the network no matter what – but this approach is putting them at risk of both insider threats and malevolent actors,” says Bernd Koenig, Director of Security Products at Akamai Technologies. It doesn’t have to be this way, Koening argues: “By adopting a ‘zero-trust’ approach to security, organisations can limit the reach that employees have and only grant access to those that can verify they need it every time.”
Such stern measures are bound to brush up against a host of personal ‘rights’ and employment law sensitivities, as employees may not like being designated a ‘potential liability’ before they have caused anything to go awry. Taken to the letter, ‘zero-trust’ models would call for a radical reform of existing contracts of employment – a daunting prospect for enterprises with large workforces.
Discussion of changes like this flags-up how the human resources (HR) function within organisations of all sizes is being drawn deeply into insider threat counteraction. The mandates of employment law naturally must be observed – especially as employee digital monitoring issues are likely to crop-up for other aspects of IT management, such as emergent workplace analytics applications. (These integrate with workplace Wi-Fi and enterprise applications to gather data about their work behaviours.)
Studies of insider threats impacts also articulate the fact that, like world-wide threat landscape, internal risk characteristics are shaped by dynamics other than technology: economic, societal, and interpersonal factors are also in the mix. In a depressed economy employees are more vulnerable to entreaties from cyber criminals to breach trust and become complicit in some breach of cyber security. Very often, an organisation’s IT staff are among the first to be subjected to a nobbling exercise.
For too long businesses have trusted employees on the network no matter what – but this approach is putting them at risk of both insider threats and malevolent actors.
This broadens the locus of the challenge and transforms it risky behaviours into more of a generic business issue. For instance, could line-of-business procedures be behind aberrant behaviour? Are overworked/undertrained employees more likely to the cause of internal threats? Are lax recruitment procedures allowing cyber criminals (or would-be criminals), or their confederates, to get jobs inside organisations?
“As cyber governance requirements increase, alongside the changing personal and corporate costs of failure, security awareness in the boardroom will also increase,” says Ian Kilpatrick, EVP Cyber Security at Nuvias. “This is also driven by changing shareholder awareness of cyber security as a fundamental requirement for the success of many businesses. So, in the medium term, boardrooms will need to continue to raise their game to ensure that they have the right structure – both virtual and physical – in place to provide the best level of defence they can for their key assets.”
In this context, remediation strategies that address insider threats become a cross-directorial objective. Unfortunately, different directorates sometimes do not sync well when it comes to concerted action.
The senior executive function is, however, empowered to contribute to cyber security defensive strategy in a way that the IT function is not able to do. Amendments to recruitment and human resources polices, for example, or the rules that govern privileged access to most-valuable data assets, are changes that boards and chief officers can implement more easily – and indeed are increasingly required to, as part of their expanded governance responsibilities.
This way, the heightened importance of insider threats adds to the executives’ increased direct involvement in the determination of information security policy and application. Re-evaluation of risks posed by insider threats should also lead to changes in how IT expenditure is allocated. Rather than spend the greater part of budgets on defensive technologies like intrusion detection, firewalls, and anti-virus/anti-malware software, with threats that emanate from inside the security ‘perimeter’ upholds arguments for increased investment in security tools that monitor and analyse employee IT usage and raise alerts when aberrant behaviours appear to be detected.
“A fundamental shift in cyber security scenarios is that tools used by organisations and enterprises to sift through the complexity of user behaviour and identify – in some cases nullify – insider-created threats, are now widely available,” says Ian Kilpatrick at Nuvias. “A shift in budget from keeping the baddies out towards monitoring and analysis, is really only keeping pace with the reality of how the cyber attack vector itself has moved towards compromising user systems and log-in privileges. On the positive side, there are several solutions available that provide the kind of analysis of user behaviour needed to identify the key threats.”
Respondents to the CA Technologies’ Insider Threat Survey reported that they are shifting their focus on detection of insider threats (64%), followed by deterrence methods (58%) and analysis and post breach forensics (49%). The use of user behaviour monitoring is also scaling-up; 94% of respondent organisations deploy some method of user monitoring; and 93% monitor access to their most valuable data and intellectual property.
IT departments have been conducting security-led user monitoring for years, to a greater or lesser extent – and they don’t really like doing so. It’s time-consuming, liable to throw up false positives, and can involve the techies in disciplinary procedures that reflect badly on their reputation as a user-oriented service department. However, such user monitoring does represent a basic form of diligence that fits well with governance expectations. “The way to successfully detect and defend against insider threats is to baseline normal network behaviour, from which you identify activity that isn’t normal, and may be malicious,” explains Andy Kays at Redscan. “Through proactive security monitoring, an organisation can then detect if it has an genuine insider threat, and so determine what data and assets have been accessed – and how to respond accordingly.”
Words: James Hayes. Images: Shutterstock.