It is so intrinsic to human nature to consider external threats as a higher priority to address and guard against. We don’t like to consider the more insidious threat lurking within. Likewise it’s no surprise in the world of cyber-risk, organizations often concentrate their efforts on threats outside their network perimeter — not considering the threat within our own walls.
It’s easy to understand why. Each week seems to bring another account of organized criminal syndicates, sophisticated hackers and nation states utilizing the ubiquity and access of the Internet and IP-based systems to infiltrate organizations’ systems and exfiltrate information. Yet it is likely that even those threats have an insider component, meaning in reality, the threat from within can ultimately cause greater damage.
Why are insiders such a large potential vulnerability when it comes to online risk management? So much of our lives are now monitored, tracked, traced, and stored online. An organization’s network holds more information than ever before — from our financial accounts, family history and relationships, medical records, sensitive identifying data (like passwords, maiden names, or Social Security numbers) — to professional evaluations, classified background, credit bureau data, and work histories. A gold mine of personally identifiable information exists for malicious intruders to steal.
Unlike a physical attack, where a thief could abscond with a few dozen or a few hundred partial records of employees or customers, a talented cyber-crook could use an inside accomplice to make off with thousands or even millions of thorough files on an innocuous-looking storage device no bigger than a pack of playing cards, or even a matchbox.
And when a hacker has someone inside the organization, their chances of successfully stealing data is significantly higher because the insider is more likely to know where the organization keeps its crown jewels, and what security measures need to be bypassed. The insider is also more likely to have passwords, facility access, access to a networked device, even privileged or administrative user access — which can grant a user access to a much wider array of data than the normal user. It can even allow them to alter or exfiltrate the organization’s information to a storage device or an outside network without suspicion.
Even in the common case of an unintentional inside threat — where an insider or their credentials are compromised without their knowledge and consent —an extensive amount of damage can be done. Typically unintentional compromise can happen if an employee opens an attachment, accesses a site, or even uses a personal (non-approved) computing device on their organization’s network. All of these scenarios can potentially open the door to malicious intruders. Unlike a paper file that might go missing, a digital record that is carefully copied and whisked away over the ether might not be seen as compromised for weeks or months, even years.
The growing volume of ‘big data’ and the exponential growth of mobile or interconnected devices only exacerbates the problem. The constant stream of data makes it extremely hard to pinpoint a data breach in a sea of legitimate and appropriate data sharing. It is difficult for even the most tuned-in risk managers to hear the signal in all the noise. When there is no edge of the network, as is becoming increasingly common in many organizations, how do you know when your data has been compromised?
For organizations that lack a more tailored response to insider cyber-risk, the National Institute of Standards and Technology offers its own voluntary cyber security framework, which can be accessed online at the NIST website. This framework outlines plans for prevention, detection and remediation in these cases.
Once-and-done training or one off preventative measures in general cannot solve cyber-risk and insider threats. Instead, organizations must take a layered and over-arching approach that offers in-depth defense. Other tactics to consider include segmenting off the most sensitive information, and putting the employees with the greatest access under the highest scrutiny. Finally, if a breach does happen, it is imperative for organizations to have a playbook in place so that every person who needs to be involved in the response and remediation — including IT and physical security managers, legal, and human resources — knows their role and can execute it.