The extensive hacking programs of nation states, using technically advanced methods to breach companies and steal valuable intellectual property, is well known. It makes for a good news story that media outlets are always eager to jump on and report, often embellishing the facts.
These kinds of stories are exciting to read and much more likely for the hacked company to admit that a state actor was after their “crown jewels”. The reality is, however, that regardless on the size or scope of a breach, it is usually caused by the malicious action or accidental failure of an insider. The IBM X-Force Threat Intelligence Report 2018 indicated that in 2017 60% of total records compromised were facilitated by insiders. Two years on statistics now indicate that at least 90% of breaches occur due to human error.
When protecting against the insider threat, companies need to look beyond the walls of their own organisation. It is not just trusted employees that you need to think about. More often than not small to medium business (SMB) rely on managed service providers, contractors and partnerships with other companies to meet the demands of remaining competitive. Additionally, SMB regularly fall within the supply chain of larger enterprise. Any individual or company that has potential access to your business should be treated as an insider.
It’s the insider that poses a more destructive threat. It is a threat that can destabilise a company financially, destroy its reputation and significantly reduce shareholder confidence in the leadership team. A trusted insider has the potential to cause more damage to the company and has more advantages over an outside attack. An insider has legitimate and often privileged access. Specifically, they have intimate knowledge of the organisation, including its processes and most critical assets. They know when and where to attack, whilst being able to hide their tracks.
Given the advances in technology that can detect and prevent attacks from the outside, it is actually quicker for an outside threat to subvert the technology by placing or coercing an insider to commit network or manual sabotage, espionage, fraud or theft of IP. Not to mention tricking an employee into clicking on a link, opening a document, visiting a fake website…….the list goes on.
Technology has also vastly improved the speed and volume with which organisations engage their specific market and also brings with it the ability to transmit large amounts of information. As such, the protection of intellectual property or sensitive information has become harder and harder, especially with the extensive use of smart devices and the ease at which data can be downloaded and disseminated. Protecting critical business assets is itself critical to an organisation’s ability to develop products, provide services and gain an economic advantage. SMB spend an incredible amount of time producing sensitive business information, which is extremely valuable not only to the business but also to the competition. Misuse or disclosure of this information can impair or even destroy its value. Therefore, significantly undermining the financial viability and reputation of an organisation.
With time and motivation humans will always find a way around technical counter measures. The research shows that cyber related incidents are less likely to be a technical issue than they are to be one of a strategy, policy and human issue. SMB will have a better chance of saving their organisation from the cost of recovering from an attack and the reputational damage that follows, if they look at the threat as the individual and not the method of attack. A security framework that effectively integrates technical controls with the human and physical controls stands a much better chance preventing an attack. This includes cultural shifts, awareness training, process and policy measures rather than applying scattered technical solutions without any real strategy behind the implementation.
Every SMB should have an insider threat program, a continuous process, that analyses the existing controls to determine where the gaps are and what measures need to be implemented. Importantly, think cost effective measures that aim to target root causes rather than just throwing expensive technology based solutions at the problem, in the hope it will fix everything. Rehearse, rehearse and rehearse because if a breach does occur the business will be in a much better position to respond and recover. Here is a guide and principles for SMB looking to build an insider threat program.
Define what assets are most important. Prioritise them by thinking about the impact to your business if they were compromised.
Know who (internal and external) has access to the above information and how it is accessed, because you are only ever secure as your weakest link.
Develop an integrated strategy to protect the information, asset etc (physical, human and technical strategies).
Develop policies and procedures to back up the strategy.
Educate your workforce on the policies and procedures. Make sure they know why a control is in place and how it works.
Implement robust hiring and firing procedures. That includes with external providers / vendors.
Incorporate periodic, tiered and tracked automated training.
Have a mechanism with which employees can report unusual activity. Make it part of your company’s DNA to report issues.
Implement a response plan to a breach. Make sure it is tested.
Continually improve the program by reviewing it, revising it, rehearsing it and analysing it.
The threat from insiders, whether it be malicious or accidental is unlikely to subside. Given the transient nature of the workforce in the 21st century and the technological advances in the transfer of data, it is more likely that organisations will experience attacks that emanate from within. Giving your organisation the best means of mitigating the likelihood of an insider breach will significantly decrease the strategic risks and lasting effects that a breach of this kind may have.
If you require any help with implementing the right program for your SMB then feel free to get in contact with me, we all need to work together to protect SMB – “The backbone of innovation”.
Matt Bunker, Managing Director at ARX Risk