Although the media loves a shady computer hacker story — usually adorned with images of a man in a hoodie sitting in a dark room — the reality is that rogue employees can often do much more damage to an organisation’s data integrity.
The insider threat can come from ‘malicious’ actors, whether that’s an Edward Snowden, who leaks information for normative reasons, or someone who sells off personal information. But commonly it’s just regular employees engaging in risky behaviour without realising.
“What is the biggest threat to the security of your business? Well in fact it is human apathy and ignorance,” Latrobe University associate professor Sara Smyth told last week’s ConnectExpo tech conference.
An attack can be as simple as someone calling up an employee, pretending to be a colleague, and asking for confidential information — a password, perhaps, or customer data. This makes people an organisation’s biggest security weakness, as convicted-hacker-turned-security-consultant Kevin Mitnick has pointed out:“Two-thirds of employees have done things that can put their company’s IT security at risk.”
“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted. It’s essentially meaningless.”
Clicking fake links in emails is another soft spot, as the Democrats found out in the United States election. Phishing is such a problem for Australia Post, where many employees don’t seem to care about the risks, that its IT department recently took to testing whether they should scare reckless staff by making it appear their computer had been locked with ransomware.
“Software developers and vendors want us to think that the secret to cyber security is better security technologies, but in fact it’s not,” Smyth says. “It’s not up to the security geeks sitting the corner of the room, it’s up to the management of organisations to have effective training, education and risk management procedures.”
While she does not advocate throwing the technology out the window — it’s obviously necessary — it needs “to be combined with policies that promote security awareness alongside good behaviours that protect the overall security of the organisation”.
There’s even new software that can identify anomalous behaviour among employees — it looks weird if Jane from HR is accessing a certain file at 3am, for example — but what if a rogue employee is acting within the scope of their authorised activities?
One problem is that a lot of employees and contractors have access to too much information, Smyth explains. “Perhaps you need to have a policy in place, or a strategy in place initially to review the scope of that authority, and to perhaps quarantine some of that information. To not allow some employees to bring their own devices to work, to not allow them to take confidential information off premises.”
Well-meaning staff who create cyber security risks through negligence are the most insidious, she says.
“That can result from a lack of understanding about internal security policies, or the absence of policies altogether, or a lack of communication of those policies to staff by management.
“A recent study by Cisco found that as many as two-thirds of employees have done things that can put their company’s IT security at risk — like walking away from their computer without logging off, leaving the organisation with corporate data copied to their tablet, smartphone or a USB, or moving files to dropbox without permission. Leaving computer passwords in open sight. Losing devices like a laptop.”
The good news is that negligence can at least be reduced through education and communication.
Smyth suggests five steps to manage cyber security threats:
1. Identify and evaluate risks
Prevention is the best way to mitigate against cyber threats — figure out what your risks are and put a plan in place.
“Obviously an organisation’s assets can’t be protected if their value and loss is not well understood. You first need to ask yourself, what does cyber security mean for this organisation?” Smyth asks. “Is it possible that at least part of the system is susceptible to compromise through cyber attacks?”
Organisations need to question whether, in the event of malicious or inadvertent damage, from malware or hacking or some other disruption that takes their systems offline, their data is secure, she notes. Is the information only available to those who have the authority to access it? Who are the threat actors who could target your organisation? Are they insiders or outsiders, or both?
Has your agency been targeted in the past? Is there corporate memory of past incidents, and if not, can you learn from others who have been targeted?
2. Assess ability to shoulder risk
Organisations need to work out what the risks are, but how those risks impact vital infrastructure.
“What is the value of your data and where is it located? What part of the data is critical to the functioning of your business?” Smyth asks “What data can you absolutely not afford to have compromised or lost?”
Although it can be difficult to quantify how much money might be saved by investing in cyber security measures — and thus may not always look appealing to managers trying to reduce costs — a serious breach can put the entire organisation at risk. “It makes sense financially to pay money to secure that data,” she argues.
3. Develop and implement risk reduction measures
“Who is protecting your organisation’s data? Who is responsible for the day to day management of data security? Do you have someone internally? If not, do you need to hire someone outside the organisation?” questions Smyth.
“Do you even have a cyber risk management strategy, and have you tested it out, or had it externally audited? And this means that you need to clearly identify your cyber security risk requirements and trace how those requirements are being met or not met, right through the supply chain to the end user or customer.”
She also recommends thinking about cyber insurance. The premium for cyber insurance, a relatively new phenomenon, will often be lowered if an organisation has already taken risk mitigation steps first.
4. Implement, monitor and revise
“You need to have a process for reviewing and updating cyber security policies and communicating those to your staff. You need to measure and track whether those policies are in fact working, and you need to consider compliance measures, including those that are required by your insurance policy,” she explains.
5. Disclose risks and strategies
“You need, of course, to advise your employees and brief them about what to do in the event of an attack. You need to implement employee awareness and training seminars within your organisation,” she notes.
It’s important to ensure senior managers are setting the right tone for the organisation, communicating good cyber security policy and practicing what they preach, she adds.
Cyber security, she emphasises, is more than just an IT issue. It affects the entire organisation, and requires a response from the whole organisation.
“We know that cyber criminals spend a lot of time thinking about how to improve their success rates, reduce costs and take advantage of new innovations,” Smyth points out.
“It makes it very difficult for us to predict what will happen.”