Protect Yourself from an Internal Cyberattack
We are increasingly being notified of the latest company to be hit with cyberattacks, and I fear it will become a numbing sooner rather than later. A few months ago it was a couple of Florida cities; today it’s Capital One. The Capital One breach is unlike any other major hack, so it would behoove us to place closer attention. This breach involves a single engineer wreaking havoc. The details set it apart from the breaches of companies like Equifax and Marriott, which were attacked from the outside by criminals with a nation-state connection. Instead, according to the indictment of Paige Thompson, who may have had an inside connection at a major cloud services provider now known to be Amazon, she was able to exploit a loophole in a Capital One cloud server's firewall to gain access to the information.
An estimated 666,000 Internal Security Breaches occurred in US business during the last 12 months, an average of 2,560 per working day. A report from Clearswift found that 58% of all data security threats come from the extended enterprise (employees, ex-employees, and trusted partners). Some insider incidents come from accidental behavior; others are doing authorized things for malicious purposes. Either way, the consequences can be costly to an organization. An insider attack costs a company approximately $412,000 per incident and approximately $15 million in annual losses per company. Some incidents have cost large companies more than $1 billion.
Whether we’re dealing with careless or malicious activity, both involve authorized users who have access and rights. To thwart insider threats, organizations are recognizing the need to better manage their overall network access for their end-users and close any potential network security gaps.
So as a business owner, how do you protect yourself from internal cyberattacks?
The first step is to implement an Insider Threat Program (ITP). Through my years of experience dealing with cybersecurity breaches and my countless hours of research, I have created a 10 step ITP. These are just guidelines based on my field experience as a Managed Services Provider; however, other tactics that can be applied in conjunction with these 10 steps to help mitigate your risk.
1. Educate Your Users - This can seem obvious and is often disruptive to users however, studies by Datto have shown that the education of users can reduce threats by approximately 30%. Organizations need to utilize creative and innovative ways to educate users and, in some cases, incentivize users to help stop cyber threats.
2. Use Technology - Another obvious investment that organizations must value is technology. The use of security software at all levels of your organization can help reduce insider threats. Engage in workstation, server, network, and physical security through the use of technology. Though it can be a hefty capital investment, it’s a necessary practice to help improve security within your organization.
3. Don’t neglect Physical Security - Regardless of whether you "own" physical security, consider it your No. 1 priority. Simply keeping people away from your critical infrastructure is enough to prevent most insider incidents. Two-factor authentication—for example, using a PIN and a keycard—to augment keycards will thwart card thieves, but obliging employees will still loan their cards and PINs to colleagues. Consider biometric authentication: fingerprint scanners and similar devices are popular, albeit expensive choices. However, securing your computer systems isn't enough. Thieves, or overly curious colleagues, will grab sensitive information from unsecured hard copy. Make sure all your employees have at least one lockable drawer in their desk or file cabinet for securing sensitive information.
4. Screen New Hires - In general, the more time you spend investigating an applicant's background, the better. If your organization considers background checks too time-consuming, consider outsourcing. However, a background check won’t always tell you the full story. A potential employee could be living at an address, but a background check won’t tell you about the Non-obvious relationship, as someone living at that address could be a con artist. Services such as Systems Research & Development's NORA (Non-Obvious Relationship Awareness) can find such relationships. By combining information from seemingly unrelated corporate databases, NORA can perform personnel checks—on employees, subcontractors, and vendors—as well as prospective hires.
5. Refocus Perimeter tools - By applying your perimeter tools to the inside of your network, you can greatly increase your security posture, often at little cost. Step one is internal patching. You wouldn't dream of putting unpatched web or email servers on the public internet, so why should you settle for them on your Local Area Network (LAN)? Step two is securing hosts by eliminating unused services and locking down configurations. If you are scanning Internet-facing servers, re-direct the scan to internal web servers and directory servers. The cost associated is minimal.
6. Be Transparent - A good security program is one that is informant and transparent to all employees. It should be communicated to internal employees as well as customers to show that your organization has the right attitude towards security.
7. Generate User Alerts - Another way of reminding users of policy is by implementing user alerts, particularly useful when triggered by any suspicious behavior, so users learn to know what is considered good practice.
8. Get C-Level Commitment and Buy-in - The commitment of implementing policy must go to the top of an organization, to be properly enforced. That means the board/leadership must not only understand the ITP but must also support the effort around implementation to make it successful. In most organizations, about 80% of the effort to implement these programs is done by IT with little involvement from the C- Level. This often creates a failed plan, when executives want a shortcut around the plan when it involves personal access. Executive-level commitment needs to be obtained for a successful implementation.
9. Use Stronger Authentication - Password-cracking technology is quite advanced, and stronger passwords spawn forests of Post-it notes on monitors and many employees share passwords. If you do deploy multifactor authentication—combining user IDs and passwords with tokens, smart cards or fingerprint readers, etc.—be aware that these methods may not plug all the holes. Once your session is established, a knowledgeable insider may be able to spoof new transactions under your name or simply use your computer while you've stepped away. Windows stations can be set to lock out users after a fixed period of inactivity and require reauthentication.
10. Plug Information Leaks - Sensitive information can flow out of your organization through email, printed copies, instant messaging, or by people simply talking about things they should keep to themselves. Combine security policy and technology to stanch the bleeding. First, make sure your policy details restrictions on disseminating confidential data. Technology can help, starting with an Intrusion Detection System (IDS). Scan your business plan for unique phrases that you wouldn't expect to find anywhere else and configure your IDS to alert you whenever it sees these telltale snippets on the network. Email firewalls can scan the full text of all outgoing emails. Digital Rights Management tools restrict the distribution of documents by assigning access rights and permissions.
The Insider threat will pose increasingly high risks to organizations across all sectors. A recipe of tools and strategies are required to prevent data leakage. By prohibiting concurrent logins, controlling and managing network access, alerting IT about inappropriate user access and empowering IT with access intelligence, an organization can mitigate the risk and reduce their chances of ending up on the news as the next victim of a cybersecurity attack.