Think about cyber threats and most people picture sinister, anonymous geeks feverishly typing away in a dark room as they hunt for confidential data or strive to disrupt critical systems. But while there is truth to that image, and an all-too-real peril, a more common and challenging security danger may be sitting in the next cube.
The threat from insiders with authorized access to the network has become as significant as bad actors breaking in from outside. From malware inadvertently installed by naïve employees to stolen data to just plain carelessness with access privileges, internal security risks are on the rise.
A combination of factors is responsible for the new environment in which employees are an equally treacherous cybersecurity risk as hackers – the blurring of network boundaries brought about by cloud services, the Bring-Your-Own-Device (BYOD) trend that gives employees the flexibility to stay connected through their personal devices, and the rise of more sophisticated attack methods.
And the offenders aren’t always disgruntled or deceitful employees bent on ransacking the company’s systems; in fact, they seldom are. In most cases, the damage occurs unintentionally or negligently, such as an employee accidentally installing malware by clicking on a link in a fraudulent email or workers sharing passwords to save time.
What it all means is that companies need to think differently about their cybersecurity posture, putting as much emphasis on dangers from inside the organization as they traditionally have placed on guarding the perimeter. This shift has ramifications for a wide swath of the security ecosystem, including budget priorities, product choices and employee training.
Vividly illustrating the evolving hazard, 2016 was rife with episodes where insiders unwittingly compromised sensitive data. A few examples:
A hackermasquerading as Snapchat’s CEO emailed the company’s payroll department requesting information for current and former employees. A team member didn’t realize it was a phishing scam and disclosed the data to the intruder, affecting approximately 700 workers.
Claims administration software provider Systems Softwaresuffered a breach that wasn’t carried out by hackers but was the result of an internal error during a system upgrade in which data storage was set up improperly and the information was made available on the internet.
In one of the year’s most notorious cybersecurity incidents, a trove of emails washacked from the accounts of the Democratic National Committee and Hillary Clinton’s campaign chairman, John Podesta, and provided to WikiLeaks. It has been widelyreported that Podesta was tricked by a phishing scheme – a fake “account reset” email purporting to be from Google.
As these events show, malicious employees are often not the biggest threat. Rather, it’s reckless or sloppy ones who too easily fall for phishing scams or bend security rules to cut corners and get their jobs done faster. Examples of the latter could include sharing a username and password with a co-worker, giving him or her unauthorized access to data, or using the same password on multiple sites.
On the network perimeter, separating unapproved from approved users is usually an either-or question (and most security products reflect that paradigm). There are only so many ways for intruders to get in and, once they do, it’s straightforward to track where they’ve gone and what they’ve done.
In the internal network, identifying what is good or bad is a much different endeavor. The internal network isn’t segmented in the same way; it’s more open so employees can get their jobs done. IT sets authorizations, but employee behavior can change for various reasons – change in department, project, role, location, etc. And it’s hard to detect what’s malicious and what’s not.
As companies become more aware of the internal threat, they should adopt a strategic plan that pays equal attention to this class of cyber risk in budgetary, staffing, product and services decisions.
They also should do more to engage employees themselves. That means more effective training – specific and relevant to the user – and real-time feedback when an employee does something he or she shouldn’t.
Company leaders today should make sure their corporate cultures reflect a belief that security is everyone’s responsibility, not just the security team’s.
Whether it’s a disgruntled employee with malicious intent or a careless employee tricked into installing malware or even business partners that don’t follow security policies, companies must understand the threats lurking inside their enterprises and make addressing them a top priority.
(About the author: Ajit Sancheti is co-founder and CEO of Preempt)
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access