84%. That’s the number of cyber attacks which, according to a survey conducted at the 2017 Black Hat Conference, can be attributed at least partially to human error. Everything from ransomware to hijacked credentials to unintentional leaks.
It’s easy to look at all the stories of advanced hacks, cyberespionage, and devastatingly-powerful botnets in the news and assume them to be the norm for cybersecurity. It’s easy to look at cyber-criminals as sophisticated tech wizards, capable of smashing through even the strongest security through targeted attacks. The truth, however, is that such threats actually represent naught but a fraction of actual cybercrime.
It’s true that cybercrime has grown more sophisticated, and that criminals have a far greater arsenal of tools and toys at their fingertips when it comes to plying their craft. But it’s also true that the vast majority of these criminals aren’t interested in targeted campaigns, nor are they state-sponsored experts or organized syndicates. They’re just people looking to make a quick and easy buck.
Grappling with firewalls and network monitoring systems is not easy. Searching for a vulnerability in a well-patched system is not quick. Combing over an organization’s supply chain to find a vendor that can grant access is not simple.
Want to know what is?
Targeting an organization’s employees. Your people are, and always will be, your greatest vulnerability – chiefly because many businesses don’t even realize the kind of danger insider threats represent. Uneducated or careless staff aren’t the only thing that you should be worried about, either.
Internal bad actors can cause more damage to your systems than even the most experienced hacker. A disgruntled employee will probably know how to access at least a few privileged assets. Woe betide you if that employee is an IT professional, or if your business has not implemented checks and balances against unauthorized internal access.
The first step in dealing with such internal threats lies in recognizing that they exist in the first place. Let’s talk about that. Here are some of the biggest red flags that there’s an insider threat lurking within your business’s walls – and some advice on how to deal with it.
Your Workplace has Gotten Toxic Lately
We’re going to go into this on the assumption that you’re already engaging in at least a few of the basic hiring best practices. A vetting process that includes a criminal background check and a discussion with previous employers. A thorough interview process designed to help you wield out the bad eggs.
The standard stuff.
Mind you, even with all these measures in place, bad eggs can sometimes slip through the cracks. An office that was originally a great place to work can quickly shift over into toxicity through the actions of just a single person, be they a regular employee or management personnel. Within such an environment, the chances that a disgruntled staffer might turn malicious increases exponentially.
Determining the root cause of this toxicity is your first, most important step. Sit down with your employees and have an open, honest, and frank discussion with them about their workplace problems and difficulties. Listen to their grievances, and ensure they’re all treated with respect and dignity – and that everyone, from interns up to the C-suite, is treated by the same rules
In the meantime, you’ll want to keep an eye out for a few warnings signs that someone might be crossing the line from frustration to active malice (or that they’ve already crossed that line). Note that any and all of these could just be indicators of dissatisfaction with their job. It’s important that you don’t make any undue assumptions, and that you don’t accuse anyone without proper evidence.
That said, we’ve bolded the ones that we consider serious red flags.
- They’ve suddenly expressed an interest in accessing materials and assets they ordinarily cared little about.
- They’ve experienced an unexpected windfall, or openly discussed their financial difficulties with co-workers.
- They’ve engaged in petty criminal behavior in the past, such as theft of office supplies or other minor, illegal activities.
- They’ve suddenly become more argumentative, combative, or disruptive.
- They seem unusually nervous or on-edge.
- They’re more frequently in the office during off-hours – which is strange, since they seem to hate being here.
- They’ve begun discussing the possibility of tendering their resignation.
- They’ve started downloading or accessing an unusually large volume of data or searching the network for assets not directly linked to their position.
- They’re carrying unauthorized data storage devices more frequently in the workplace.
- They’re frequently emailing domains and individuals not affiliated with the company.
There’s a Lack of Cybersecurity Training and Education
As we’ve already established, most insider threats aren’t actively malicious. They’re otherwise well-meaning, good-natured employees who make an honest (if ignorant) mistakes. The chances of them making said mistakes are a great deal higher if you don’t have some form of training and education program in place for your staff.
As we mentioned in a recent press release, it doesn’t matter if your business has a six-figure cybersecurity budget if you aren’t working to teach your employees more about cybersecurity. You need to put programs in place that allow them to learn more about protecting their own privacy online – and about why they should.
Such skills will naturally translate into a corporate setting, especially if you emphasize their agency and the importance of their role in your organization’s success. Mindfulness training, too, can be valuable. Not only can it give your staff more tools for dealing with stress, but a more cautious, mindful attitude will also make them less likely to fall for tactics like phishing scams.
Establishing a searchable knowledge-base with an overview of security threats, best practices, and information on your organization’s security policies is also highly advisable. Give people the chance to study up and learn more on their own, should they so choose.
Finally, you should run regular security drills and penetration tests to determine how well your training has set in, and identify areas that need improvement.
You Aren’t Monitoring Anything
Do you know who is accessing what assets, and when they’re doing it? Do you know what devices your staff are using to download and edit sensitive files? Are you aware of each employees activities on your network in a broad sense?
If you answered no to any of these questions, you’re in trouble.
It’s absolutely imperative that you incorporate a framework that allows you to monitor files, emails, servers, and systems that are essential to your business. If an employee is behaving suspiciously – say, by downloading several gigabytes of files they ordinarily would never access – you need to be aware of it. Because if you’re flying blind, not only does it put you at greater risk of external cyber attacks, it also makes it far likelier you’ll suffer an internal breach.
There’s No Access Control Where Sensitive Assets Are Concerned
As somewhat of an addendum to the above, you need to make sure that where your business’s critical assets are concerned, access is limited exclusively to those people who need those assets for their work. Remember the Panama Papers breach that occurred a few years back? It wasn’t an inside job, but one of the main reasons it was so successful was that Mossack Fonseca had no access control, nor did they store their files in any sort of hierarchy.
Look at it this way. If you were running a bank, would you give every single employee unrestricted, unmonitored access to the vault? That’s a foolish idea, right?
Why, then, would you be willing to give every employee unrestricted access to every file and server within your organization’s walls?
Your Leadership Doesn’t Care About Security
Believe it or not, lower-level employees aren’t always the cause of insider breaches. Often, it’s someone higher up the corporate ladder. Men and women with enough authority and pull that they may believe the cybersecurity rules everyone else has to follow don’t apply to them.
This is especially prevalent in agencies such as law firms, where partners and senior lawyers often see security controls as an inconvenience, at best. If you truly want to mitigate insider threats, you need to address this attitude. You need to ensure that everyone, including and especially the C Suite, understands why you have security controls in the first place – and if it proves necessary, you should work with them to implement those controls in such a way that they aren’t an impediment.
External actors are the least of your concerns from a cybersecurity perspective. At the end of the day, the biggest threat to your systems and data comes from within. If you’re aware of that fact, there’s a lot you can do to mitigate that threat.
If you aren’t, you’re basically doing the cyber equivalent of installing a screen door on a fortress. No matter how impressive your walls are, someone’s going to just let people in through that door.