Opinion

How many of your employees could compromise your company in 14 days or less?

5 min read

20 November 2015

When we think of cyber security threats, we almost always visualise an outsider threat: a competitor, a hacker, or some other third-party adversary. However, when we look at the cyber security breaches that have done the most damage, we repeatedly see inside jobs as well— from the recent breach of Ashley Madison to Edward Snowden’s release of NSA records over two years ago.

How many employees at your company have sufficient access to decimate your stock price? Many executives assume that only a handful of people maintain access to data that, if leaked, could seriously damage the organisation. In reality, anyone with access to your company’s network – whether a long-time employee, temporary contractor, consulting firm, or intern – has the ability to misuse or steal data, and represents a potential “insider threat”.

The problem with insiders is that they are implicitly trusted by traditional security controls. They have legitimate, privileged access to parts of your company – and therefore do not easily raise suspicion amid the noise of busy companies and networks. In 2014, a disgruntled employee caused major discomfort to UK supermarket chain Morrisons, after leaking employee payroll data, publishing it online and sending it to a newspaper. More recently, it was an insider who was reported to be behind the hack of Ashley Madison, publicising details of the adultery site’s users and sending the CEO packing shortly after.

However, it is not only employees with a grudge or malicious intent that pose a risk. The reality is that loyal and well-meaning staff can also inadvertently expose their companies’ data and systems to vulnerabilities. Remote working and BYOD policies have made it easier for malwares to spread from personal to professional devices, and infiltrate corporate networks. Corporate devices are not just found in offices, but also on kitchen table-tops and sofas – so you can no longer tell who precisely is using them. Your boss’s daughter playing games on his company iPad may be innocent, but is not without risk – yet we all know that this happens. Any user is just one click or bad attachment away from infection.

Indeed, employees are increasingly being personally targeted by sophisticated attackers who use information that they have gleaned about specific individuals online to increase the chances of the insider performing the required action. These “socially engineered” attacks essentially trick users to betray credentials or allow them a foot in the door that enables them to carry out their missions.

Independent contractors, supply chain companies and other trusted third parties pose another means by which otherwise careful organisations may be compromised. Companies are only as strong as their weakest link – so if your building management companies, food supplier or auditors are infiltrated, your data and systems are also on the line. The US retailer Target was attacked via the company that provided them with refrigerators, who were connected to the retailer’s network for the purposes of electronic billing.

When it comes to insider threat, traditional security tools are consistently failing because they assume that threat can be blocked at the point of entry. Currently, financial services companies take an average of 98 days to detect intrusions on networks and retailers detect breaches an average of 197 days after they occur. This lag suggests that too many companies are still missing intelligent internal monitoring, as part of their cyber defence strategies.

Businesses that want to avoid falling victim to the latest “hack attack” need to take for granted the pervasiveness of internal risks. Insider threat is now a given, and requires a defensive system more akin to an adaptive, self-learning immune system, than a block-the-bad-guy firewall. Threats that are identified because they match a database of known attackers doesn’t help you when your attacker is sitting in the office building – or their credentials have been hijacked.

New technologies that are capable of automatically learning what is “normal” for a company are helping the defence challenge, because they can proactively spot deviations from typical ‘patterns of life’ and – critically – they self-update, based on evolving evidence and user behaviours. These advances have been made possible by new mathematics and machine learning, and are already in use by some of the world’s largest companies.

Ultimately, the modern enterprise is like the modern city: complex, noisy, constantly changing – and without defined borders. Threats will inevitably make their way inside the network perimeter, and legitimate users cannot be controlled sufficiently to never make a mistake or even to turn against you deliberately. Embracing new innovations in this area, such as the immune system movement, is helping bring about a new mind-set that minimises risk continually, wherever it originates.

Dave Palmer is director of technology from Darktrace.