Cyber attacks are on the increase, but how do you deal with a threat when it comes from within your own company? Cyber security training experts at Cucial Academy, who help re-train people who have left the military, offer some tips.
An inside job brings up images of bank raids and heists but in the modern world companies should be thinking just as seriously about the cyber threat coming from within their own business.
The possibility that a breach could be down to an employee or former employee is growing all the time.
It could be a malicious attack from a disgruntled member of staff who has recently been sacked or who has a grudge against the business, for instance.
But more often the threat comes from the unintentional actions of untrained employees that put the business at risk and create cyber vulnerability.
It is well known that a high percentage of data breaches are down to human error or lack of awareness – and cyber predators are ready to take advantage.
Here are seven key tips to preventing an inside job – and dealing with it efficiently if the worst happens:
1) Start with the basics – train your staff to spot a phishing email. Phishing is a simple scam that is easy to avoid with the correct training. However, approximately 94% of malware enters a network this way. Phishing emails are becoming more sophisticated, deliberately targeting staff with messages that appear to be addressed to them individually from clients or suppliers. Many include attachments that mimic anything from invoices to tax documents. Conducting fun, interesting and easy-to-implement staff training on a regular basis is key.
2) Ensure former employees do not have access to files and systems. A fired employee can be a significant insider threat if they are able to access files and systems. A removing access policy and/or an employee termination policy should be in place in advance. When an employee leaves the business, all access should be quickly removed. Not just to the building but to devices and software.
3) Utilise Principle of Least Privilege (PoLP) to limit access to the essentials, especially for short-term staff. When workers stay in post for only a matter of weeks or months a PoLP policy is an essential.
This system sees a new arrival start with no privileges and receive access only to systems and files they need to do their job. It may seem a simple principle, but it takes planning because many security systems assign rights in groups rather than to individuals. Businesses should map all job functions and what privileges they need – and avoid assigning privileges to guests, members of the public or those who do not need them.
4) Have a plan in place to deal with an insider incident. Companies need to be able to initiate security controls as soon as they suspect an employee or employees may be a threat to the business. This can involve invoking or honing monitoring tools to begin to gather evidence and determining the threat and scale of the incident.
Co-ordination with legal counsel can be initiated early to address privacy, data protection and legal responses. Suspected employees could have their accounts frozen or they could be placed on forced leave or job rotation to allow for a forensic investigation to take place.
5) Be aware of what lack of preparation means. For those organisations without the appropriate controls in place, the scenario may play out very differently.
It can result in increased damage to the business in terms of data stolen and reputation lost. Falsely-accused employees may take legal action against a business, whilst distrust of the organisation may arise amongst other employees.
GDPR is also an important issue to consider in advance. The regulation threatens fines of up to 20 million Euros or 4 per cent of annual global turnover for businesses which suffer data breaches. It also sets out a strict time frame for the reporting of breaches – normally within 72 hours. So, it is not only vital for businesses to be GDPR compliant but also to have clear and tested procedures in place for when things do go wrong.
6) Use advance checks to reduce risk during recruitment
Thorough background and reference checks in advance of employment are some of the best methods employers can use to reduce insider threat. Always take up references.
7) Consider the pros and cons of hiring external consultants to investigate internal threats. The advantage of hiring external consultants to help detect malicious employee behaviour is that they hold no loyalties or bias and cannot be influenced by people within the business.
They can also have knowledge and expertise that may not be present within the business and be able to see gaps in the business’s current cyber security policies that current staff are not aware of. The downside is that, if the external consultants are not supported at the highest levels within the business, they can become hamstrung with internal politics.
Without the authority to interview employees across the business and delve into its inner workings, they can be impeded by individuals who may not want them to advise new security controls (especially if they cause jobs losses or a restriction on current working practices).