Wednesday, February 8, 2017

Is your company protected from insider cyber threats?

I’ve previously suggested that your employees are your company’s weakest link, and therefore, your greatest threat to suffering a cyber-attack and resulting data breach. While employee negligence (that is, employees not knowing or understanding how their actions risk your company’s data security) remains the biggest cyber risk, another is growing and also demands your attention—the malicious insider.

Dark Reading reports on a recent survey, entitled, “Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web.”
Recruitment of insiders is increasing, and the use of the dark web is the current methodology that malicious actors are using to find insiders,” explains researcher Tim Condello, technical account manager and security researcher at RedOwl. 
Cybercriminals recruit with the goal of finding insiders to steal data, make illegal trades, or otherwise generate profit. Advanced threat actors look for insiders to place malware within a business’ perimeter security. … 
Think your business is safe? Think again. All insiders pose a risk, regardless of their seniority or technical ability, experts say. As major data breaches continue to make headlines, people are recognizing the tremendous impact leaked data can have on a business—and how they can profit from it. 
There are three types of people who fall into the “insider” category, says Condello: negligent employees who don’t practice good cyber hygiene, disgruntled employees with ill will, and malicious employees who join organizations with the intent to defraud them.
What is a company to do? I’ve already discussed how to protect against the negligent employees who don’t practice good cyber hygiene—training, training, and more cyber-training.

No amount of training, however, will stop a disgruntled employee with ill intent, or a malicious employee who joins to do harm.

These latter two categories need more specialized attention—an insider threat program. The Wall Street Journal explains:
Companies are increasingly building out cyber programs to protect themselves from their own employees. … Businesses … are taking advantage of systems … to find internal users who are accidentally exposing their company to hackers or malicious insiders attacking the company.
These “systems,” however, can prove costly, especially for the small-business owner. While investment in a technological solution is one way to tackle this serious problem, it’s not the only way. Indeed, there is lots any company, of any size, with any amount of resources, can do to develop an insider threat program.

Aside from the expense of costly monitoring programs, what types of issues should employers include in an insider threat program? Here are four suggestions:
  • Extra monitoring of high-risk employees, such as those who previously violated IT policies, those who seek access to non-job-related business information, and those who are, or are likely to be, disgruntled (i.e., employees who express job dissatisfaction, who are on a performance improvement plan, or who are pending termination).
  • Inventories and audits for computers, mobile devices, and removable media (i.e., USB and external hard drives), both during employment and post-employment.
  • Policies and programs that promote the resolution of employee grievances and protect whistleblowers.
  • Pre-employment background checks to help screen out potential problem employees before they become problems. 
No company can make itself bulletproof from a cyber-attack. Indeed, for all businesses, data breaches are a when issue, not an if issue. However, ignoring the serious threat insiders pose to your company’s cyber security will only serve to accelerate the when.