Beware the Insider Threat
Posted: Lee @Intrasource
Cybercrime is difficult to investigate and is vastly under reported and that in itself presents greater opportunity to the cybercriminal.
Whilst many organisations are developing an awareness of the growing cyber security threat and are starting to take steps to fight it, many forget about the insider threat.
The insider threat can be split in to 2 main categories: the intentional (or malicious) and the non-intentional.
When an employee leaves, many organisations simply forget to remove their access to the IT systems and accounts.
IT Governance states that 76% of companies are at risk from a serious breach of security from their former employees. Recent research has found that only around a quarter of companies follow strict processes to ensure employees no longer have access the company’s sensitive and critical data once they have left.
A former employee with access to sensitive company data can be a very dangerous thing. For example, if someone in sales is offered a better package with a competitor it’s vital that you do everything you can to make sure they don’t take customers with them. Or, if you dismiss a member of the IT Team then there is a risk they can log in and be disruptive or erase everything. Or if someone responsible for marketing leaves and you don’t change the social media accounts access and log ins, they could potentially send out damaging posts.
In 2014 a disgruntled Morrisons employee Andrew Skelton sent 100,000 bank and salary details to newspaper and data sharing websites. In 2015 Skelton was sentenced to 8 years for fraud and securing unauthorised access to data and disclosing personal data. But it didn’t end there for Morrisons, the breach and the court case cost them £2m and in 2016 nearly 6000 employees started legal proceedings against the company, suing them for damages for allowing the unauthorised access to occur.
Whether the threat comes from an insider or an external hacker, the impact on the business is the same. PwC and KPMG have statistics to highlight this:
90% of large & 74% of small businesses have had a security breach.
83% of consumers are concerned about business access to data.
58% said a data security breach would discourage them from using a business in the future.
This shows a growing awareness of the general consumer around of how their personal data is looked after by organisations. The reputational damage for a company caused by a data breach is far reaching with dire financial consequences for them and fraught with potential dangerous consequences for the people whose data has been compromised.
74 year old Julie Norton knows this all too well. She was just one of the 100,000 Talk Talk customers that had their data stolen in 2015. Phone scammers used the data to target vulnerable people and this ended up costing Julie her £3,000 which was pretty much all her savings. One data breach has the potential to create thousands of victims, another reason why criminals are targeting data.
The breach has cost Talk Talk an estimated £40m-£60m but the fine from the authorities was only £400k. Had this happened after GDPR comes in in May 2018 then the fine would have been £59m.
It remains to be seen whether the changes under GDPR motivates organisations to get more serious about cyber and data security.
Another stat which highlights the importance of eliminating the unintentional insider threat is:
50% of the worst breaches are caused by human error.
An organisation can put a quality multi-layered suite of security products and services in place but if they are not configured correctly, or a gap/vulnerability is accidentally created, or a staff member clicks on something they shouldn’t then problems will still occur. So make sure to edcuate your staff on IT security to help them identify malware early.
What all this telling us is that in addition to a multi-layered approach to securing our systems against the outsider threat, we must also have robust processes in place to protect against the malicious insider.
We must also take every step possible to guard against the non-intentional / non-malicious insider threat and the only way to do this is education and training. You have to get your staff to understand the consequences of compromised data, get them to buy in to the processes and products you deploy, test their understanding and introduce consequences for non-compliance with policies and procedures.
The vast majority of breaches can be avoided if all the components work in synch. Your people are your biggest strength in business but also your biggest weakness in data security. Ignore this issue at your peril. 80% of all businesses that suffer a data / IT security breach go out of business within 2 years.
Find more information and IT security news here.