Per Verizon Data Breach Investigation Report, 80% of the incidents had financial motives. On a recent interview with CNBC, John Carlin, Assistant Attorney General for National Security, stated;
"The threat of insiders is real and what can happen is you have amazing defenses to protect your intellectual property and other secrets from those who are trying to obtain them from outside your company's walls, but you forget sometimes to have a program where you are watching those who you trust."
The attacks that originate from inside may be intentional and/or unintentional. One example of such a scenario happened in late February 2016 with Snapchat, where the attacker with criminal intent pretended to be the CEO, Evan Spiegel and tricked an employee into emailing over confidential information which compromised PII for roughly 700 employees (current and former). The employee who gave out the confidential information was part of the payroll department who fell for a phishing scam. Per Snapchat, the email was not recognized as a scam and therefore can be classified as "unintentional." With a well-established company like Snapchat you may expect a rigorous program in place, but its quite difficult, if not impossible, to address the biggest vulnerability with humans that can be exploited: trust.
Companies can only take precautions and strict measures to ensure their employees are complying with the security standards established by the company. Below are three critical steps a company should take to ensure the protection of their information:
1. An all rounded continuous security training program:
At any given time, your employees must know what is your security policy (especially the password complexity and proper ways to handle it), what standard procedures you expect your employees to follow during an event of an emergency. The 2016 Verizon Data Breach Investigations Report states that 63% of 2,260 confirmed breaches leveraged weakly, default or stolen passwords. Management should not assume the possession of any knowledge or policy/procedure (especially from a new hire) because each company may have a different set of operating policies and procedures. Sure, they may overlap, but this cannot be assumed as each organization is at a different level of complexity and risk. The security program should also address and mandate the use of personal devices. This should not just be limited to smartphones and tablets but also consist of USB flash drives and memory cards. Stuxnet virus that caused severe damage to Iran’s nuclear program was introduced by the way of a flash drive into systems that were not connected to the internet. Additionally, security awareness training should not only happen for your new hires but also your existing employees. This becomes a major part in reducing risk when your company is growing. Growth comes with a new set of challenges and you must ensure all your ground is covered because insider attacks are ubiquitous.
2. Knowing your team:
There are two parts to this factor: a) Knowing your employees b) Knowing your coworker as a friend.
- An organization should treat every single employee as a threat, regardless of their position in the company. This should start with the hiring process. A robust background check and reference check should be performed in this stage. After hired, you can further strengthen this point by understanding which employees hold the highest potential risk for causing the damage financially and reputationally and assess the critical assets they can access to ensure proper mitigation controls are in place. Every organization is different like the human DNA, but in my opinion IT administrators should be considered the highest priority.
- During my graduate school, previous internships and full-time jobs, I have noticed that the group that I tend to work with is usually a small one. This establishes a personal connection among one another. So, if your team falls into this category, you should implement this tactic, if not make your existing process better. Team bonding and recognition is a great way to ensure your team is valued and happy working at your workplace. It’s great to have good pay and other tangible benefits, but it is equally important to be recognized and know your value to the organization. Bonding helps you know your co-workers, their likes, dislikes, thoughts, frustration points and if you notice any unusual behavior, that may raise a red flag, you and/or your manager can reduce the risk of employee turnover as well as any data breach associated due to their frustration. This may certainly be a long shot, but if faced with such a situation, you can mitigate it before it gets critical. Remember prevention is better than cure.
The word ‘audit’ is derived from the Latin word ‘audire’ meaning to hear. Auditors can assist an organization in uncovering fraud, non-compliance (both with the company and regulations) and improve the business processes. It is very important to know what is efficient and what is a waste when your business is growing or when the environment is complex. Having a routine security audit (internal and/or external) can greatly assist your organization in uncovering potentials anomalies that may not be visible to management. Audits can also assist in identifying gaps between current practices and tie them to the industry best framework. An audit should not be ‘once in a while’ project, but rather a continuous project to yield the best results.
It is no news that technology is continuing to change at a very rapid pace. With this change, new threats and vulnerabilities are coming along rapidly. Although some of these threats and vulnerabilities can easily be mitigated with proper technology enabled controls, the human factor (insider threat) remains paramount. Involvement of various stakeholders is vital to create a robust regime to protect the data and most importantly, businesses should implement common preventive and detective and corrective tactics to avoid being a victim of cybercriminals.