Insider threats are a substantial threat across all sectors and industries; affecting organisations of any size.
After all, all insiders have legitimate access to corporate systems and sensitive data. As such, insider cyber-attacks are harder to detect than malware-based intrusions. The rapid global deployment to home offices brought new challenges for CISO’s – the ‘attack surface’ increased exponentially, whilst visibility reduced. Social engineering attacks rose sharply as the cyber criminals preyed on human insecurities, irregular working hours and reduced home Wi-Fi security. In fact, cyber-crime was reportedly up 600% in 2020.
What is an insider threat?
An ‘insider threat’ is a current or former employee, a third-party contractor or a business partner who has legitimate access to your organisations network. These individuals could leak data, either by accident or deliberately.
According to Gartner’s Advanced Insider Threat Detection Report, 90% of insider incidents are caused by those the report categorises as ‘Goofs’ – ignorant or negligent employees who believe they’re exempt from security policies. Whilst intentional theft can cause enormous damage, the report shows that malicious insider attacks are uncommon.
The accidental insider; those with no intent to steal or inflict damage, can make a genuine but costly error, such as emailing work data to personal accounts to work from home, mislaying a USB drive, or falling victim to a social engineering attack.
What is social engineering?
Social engineering broadly covers a number of cyber-attacks that use human interaction and psychological manipulation. Criminals pose as a trusted entity to trick users into freely transferring funds, giving away confidential information or providing unauthorised network access. As they rely on human error rather than software or OS vulnerabilities, attacks are hard to identify.
Social engineering is used in 90% of cyber-attacks.
They are responsible for an estimated 70-90% of data breaches.
What is smishing and vishing?
Now well known, phishing is the most common form of social engineering. Playing on urgency, curiosity or fear, mass emails encourage users to clicking through to copycat websites or open malicious attachments. A similar technique using SMS messaging, Smishing spiked during the pandemic as fraudsters pretended to be the NHS offering vaccinations or the Royal Mail due to increased deliveries.
The dangers of vishing, or voice phishing, were underlined by the 2020 attack on remote Twitter teams. Callers impersonated IT administrators to gain employees credentials. Passwords were changed to over 130 high profile accounts, including Barrack Obama and Joe Biden, the accounts then used for a Bitcoin scam. This wiped 4% off the Twitter share price.
Baiting
Phishing’s devious cousin, baiting relies on fear, greed and temptation. Heavily psychological, it is an information security confidence trick used to obtain highly sensitive information, like financial details. It takes many digital forms from ‘too good to be true’ online downloads to deliberately ‘lost’ branded corporate USB drives left in the office lobby marked ‘Confidential HR’ or ‘finance’.
Water holing
Much like a predator will wait by a water hole for its prey, water holing is an attack where the criminal targets a group of people, usually from the same corporation. These ‘drive-by’ web attacks infect a URL that employees must visit for their role. Such was the case in the high profile, Forbes attack in 2014; all users needed to do was load forbes.com for criminals to gain access to the corporate network.
How to you prevent insider cyber-attacks?
A proactive insider threat mitigation strategy should combine physical security and employee education. By their nature, these psychological, human-error techniques are far less predictable and depend on individual employees to identify and report any incident.
Increase user awareness
Following their 2020, research of more than 1,000 global employees, Mimecast found that 96% are aware of digital threats, yet 45% of employees don’t report suspicious messages out of fear of getting in trouble. Alarmingly, the same percentage admit to clicking on emails they consider ‘suspicious’.
Despite knowing they shouldn’t, 73% “extensively use” corporate devices for personal email, online shopping and financial transactions. 66% have done so more since working remotely.
There is a clear need for ongoing awareness and attack scenario training on the increasingly sophisticated social engineering threats – these should be regular, rather than one-off sessions. For example, your team may know to check for the browser for a sites security padlock, but are they aware that 50% of phishing sites now use https?
Identify your assets
With hybrid working and remote teams, it has never been more important to determine who has what. An IT audit will help you to classify the vulnerability status of each asset and inform your risk mitigation strategy.
Accurately cataloguing assets, is more than assigning laptops to users, it extends to external hard drives, tablets and mobile phones. For larger institutions, this can mean thousands of devices in thousands of remote offices. Many ITAD companies offer an auditing support service to help organisations take an updated inventory, ensuring everything is asset tagged and documented.
Undertake an access audit
Regularly reassess user network access controls, software licences and review password polices. Apply the ‘principle of least privilege’ – this limits users’ access rights to only those who require access to do their job. It is surprisingly easy for access of a redundant employee to slip through the net, putting you at risk of a data breach.
Professional data erasure
As businesses recognise the importance of sustainability, the circular economy and environmentally friendly ITAD, devices that would have previously been considered end of life IT assets are now refurbished or recycled by IT asset disposal services.
Whether their components will enter the remanufacturing process or the device is to be upgraded and redeployed, it is imperative that any redundant IT equipment undergoes a secure data destruction process. Not only does this ensure you protect company data and prevent data governance issues, your organisation will remain fully complaint with EU and UK GDPR data destruction requirements.
Your insider threat mitigation strategy should include physical security, such as antivirus and intrusion detection systems to help avert companywide phishing and malware attacks. A robust IT asset disposal policy and regular IT audits of hardware and privileges will help avoid unnecessary attacks.
Whilst a physical strategy is key, to achieve a higher level of security, employee awareness of new and emerging attacks must be not only increased but maintained. As social engineering preys on human curiosity, it is crucial that employees begin to feel comfortable reporting a genuine error. After all, cyber criminals rely on a lapse of concentration that can catch out the most attentive employees.
As your ITAD partner, tier1 offer a range of support services in addition to our data erasure services. We are here to make your life easier and can assist with upgrades for redeployment, resale and recycling of end of life IT assets.
To find out more, call us on 0161 777 1000 or visit tier1.com
Resources.
Security Week, Imperva, Cybersecurity & Infrastructure Security Agency, Network Midlands, Keepnet Labs, Tessian, Rapid 7, Tech target, Purple Sec, Dark Reading, Security Boulevard,