Insiders – Still an organization’s biggest silent cybersecurity threat
The largest and most notorious data breaches of our time, such as Yahoo and Target, are credited to the work of sophisticated cybercriminals. In these cases, attackers infiltrated the system and caused mass chaos among customers, employees investors and others.
Stolen credentials are often the way attackers access sensitive data, so it’s easy to imagine a faceless hacker or even a state-sponsored crime ring. But executives would do well to recognize that their own employees play a significant role in their organizations’ cybersecurity. Accidental or deliberate, an employee leaking sensitive data is a real possibility, and is an issue commonly referred to as an insider threat.
The pessimistic – but realistic – outlook is that employees can expose their organizations’ sensitive data in any number of ways. It only takes one employee to visit an infected website or fall for a phishing scam for their credentials to be compromised.
The Gmail phishing scam that made headlines earlier this year is a prime example. Companies increasingly rely on Google products for their business communications, and this scam tricked people by posing as a recognizable and trusted contact. Arguably one of the most prominent victims of a recent Gmail phishing scheme was John Podesta, Hillary Clinton’s 2016 presidential campaign chairman. Hackers accessed a trove of campaign data via his email, demonstrating the severity of insider threats.
According to the Verizon 2017 Data Breach Investigations Report, 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. This staggering statistic should be enough for executives to turn heads, especially towards the threats coming from within their organization.
As a CISO myself, I recognize that this may be a shift in thinking for executives in charge of information security. We often focus on threats from the outside. But let’s focus on the inside, starting by first putting insider threats into three categories.
- Accidental. These are innocent employees who mistakenly either give away their credentials or allow a hacker easy access to their credentials. (An employee shares their password, for example).
- Negligent. An insider threat due to negligence is one shade lighter than an intentional act. The employee should have known better and didn’t do the things they were supposed to do. (An employee chose to bypass security measures to make life easier, for example).
- Malicious. Here’s where the intention comes in. These employees are overtly targeting their organization. This is the origin of many breaches.
When combined, these three insider threats comprise an organization’s attack surface. While it’s hard to quantify which of these is most common, we can identify similar patterns and themes. The high-visibility breaches are usually from the malicious actors, or more commonly known as “whistleblowers” (or even perhaps the Snowdens of the world).
We rarely see accurate data collected around the employees whose threats are accidental or negligent. And unfortunately, organizations often try to sweep these breaches under the rug. On the contrary, I think organizations should seek to help one another by disclosing insider breaches. This would help businesses discover who their adversaries are and see how other people in their respective industries are targeted. However, I’m not sure we are there yet in terms of inter-organizational trust.
In the meantime, what can CISOs and other high-level executives do to mitigate risk?
- Educate your employees. Security training is crucial to the success of an organization’s cybersecurity strategy. Executives must help employees feel accountable for the organization’s success, and part of that means enforcing policies that can help stop potential threats before they become crises.
- Ongoing security awareness training. Having insider risk teams conduct ongoing assessments and audits of company assets to help identify risks that would otherwise be ignored can be extremely helpful. As technology is updated/changed, it is also important to make sure employees are aware and trained on any new measures in place.
- Control access and authentication. When it comes to safeguarding applications and sensitive data, it is crucial to ensure the correct people are authorized to these areas. One way to do this is by putting robust authentication measures in place which will verify the identity of an employee prior to allowing them to access sensitive data.
As organizations continue to embrace security teams as partners, they need to remember who is at the core of their business: their employees. We have seen time and again that insider threats are some of the most serious ones a company can face. I highly recommend prioritizing insider threats and implementing ongoing security education programs for employees. Using these methods, organizations can help prevent the misuse of stolen credentials whether accidental, negligent or malicious.