An inside job: The human factor of cybersecurity

One red employee under flashlight

As businesses continue their digital transformation, ensuring the sensitive information they handle always remains safe and secure is now a priority. However, even deploying just the latest cybersecurity applications might not enough to offer full protection.

The latest research from the Telstra 2019 Security Report makes for worrying reading as it concludes 89% of cybersecurity risks are now internal. Nearly half (48%) of businesses will experience at least one security incident each year as a result of unintentional employee action, while 74% of organisations have been the focus of deliberate and malicious employee action.

For example, Nansh0u a crypto-mining attack that has infected over 50,000 MSSQL servers since February 2019 is notable due to the fact it exploits poor security operations on the part of the victims. This is an excellent lesson in the danger presented by insider threats and why it's critical to have strong security practices in place.

Jonathan Care, senior director analyst, Gartner tells IT Pro: "Inside cyberattacks remain relatively rare. However, what is more common are attacks that abuse the privilege of role the salesperson with access to the customer database, the payroll clerk who can create false payroll entries, and so on. Abuse of role is the most prevalent insider attack type."

Inside threats

How businesses manage their cybersecurity has changed out of all recognition. In particular, the arrival of the EU General Data Protection Regulation (GDPR) focused the attention of many businesses on their current customer security policies and how they are implemented. However, these actions often continue to focus on external threats, rather than those that come from within their organisation.

Given the impact a data breach can have both financial under GDPR and reputational in terms of bad press and loss of trust security protocols must consider the potential harm from insider incidents.

Professor Steven Furnell, senior IEEE member and professor of information security at Plymouth University advises: "We can see inadvertent breaches occurring for various reasons, including inappropriate sharing of information, setting incorrect permissions, sending misdirected emails, loss of devices, and lacking an understanding of data sensitivity."

New security

Insider threats can be accidental or malicious. For example, the recent data breach at Equifax, which saw the personal records of nearly 146 Americans compromised was caused by the actions of just one employee. The lack of oversight of this lone worker who failed to follow security protocols is a stark reminder that no matter the size of your enterprise, insider threats continue to be a clear and present danger to the security of sensitive data.

Another example saw a Microsoft employee abuse their test account credentials to steal $10 million in-store credit and bought some goods with the stolen credit and then sold the rest. In July a software engineer working for a suburban Chicago locomotive manufacturer was indicted by the US Dept of Justice for stealing proprietary information from the company and taking it to China.

Speaking to IT Pro, Richard Gold, director of security engineering at Digital Shadows, explained: "Unintentional insider breaches happen due to human error. Many data leaks have been observed recently from data sources such as Amazon S3 buckets or Mongo databases due to a misconfiguration of the access control permissions. In May 2019, 800 million records were leaked from an enterprise email validation company due to a misconfigured MongoDB instance. Digital Shadows has detected more than 2.3 billion files exposed across other sources like SMB, FTP, and rsync file shares."

Examples of human error that could lead to a security breach include skill-based errors. When confronted with a situation they do not know; an employee may react in a way that compromises security. Knowledge-based errors tend to occur when employees don't understand what constitutes a security risk. Opening email attachments, sending information to unknown recipients or downloading unauthorised applications from the internet are examples here.

Nevertheless, businesses and organisations are starting to wake up to the potential internal threats they face. Research by CA Technologies shows the number of companies now using behaviour analytics to alert them to potential security breaches has leapt from 42% last year to 94% this year. This kind of technology can inform businesses of high-risk employees that need additional security training (or monitoring, if malicious behaviour is suspected).

Moving the perimeter

Reasons why your staff are potentially the weakest link in your business's security are manifold. One overriding factor is too many users have access to sensitive data. Here, your security policy should limit this access and only give privileges to those that need it to do their jobs.

"We are seeing businesses taking an almost physical approach to their security," Lyn Webb, corporate security director at Deloitte explains to IT Pro. "Where an employee without access rights could not enter a physical room, a similar approach is being taken when accessing data and systems. There is a layering of security protocols to ensure high levels of data protection. And this approach is now being connected with the need to better educate employees about what constitutes good security practice."

Clare Gardiner, NCSC director for national resilience and strategy, tells IT Pro: "Cyber risk is a business risk, and organisations must be aware of all threats to their networks. By providing a range of freely available, straightforward resources, we're encouraging people of all levels to understand that cybersecurity is a team sport. We all have a part to play. The NCSC is committed to boosting the UK's cyber resilience, and we continue to publish a range of advice and guidance to facilitate the construction of more robust systems."

The inside threats to your business are real. With a security landscape that changes almost hourly, understanding how your staff fit into your security protection is vital. Deloitte's Webb adds: "I think the inside threat is here to stay, simply because of the way we operate our businesses. There are clear trends with businesses and organisations developing detailed security policies for their staff. I also see how businesses are demystifying security to make it more accessible and, therefore, more effectively across their businesses."

Most inside incidents will be innocent mistakes. Here, your business can use education to communicate your detailed cybersecurity policy to every member of staff. However, some incidents will be malicious. Balancing the use of security applications with staff education and training will enable your business to minimise the risks your company faces.

How to reduce your insider threat

Use this checklist to ensure your business reduces its cybersecurity threat from inside incidents.

  • Make cybersecurity part of business cultureEnsure that every employee takes ownership of their cybersecurity. The security across your business is not just an IT issue. Education and awareness ensure your security policy is always adhered to.
  • Use email securelyOne of the most insecure aspects of your business is email. Clicking malicious attachments is a common way to start a security incident. Ensure your staff understand the protocols around the email they use. Also, moving away from email to more collaborative platforms should be investigated to enhance your business's communication security.
  • Limit access to sensitive informationOnly those members of staff that need access to confidential information should have full login privileges. Limiting the number of staff members to only those that must have access, reduces the potential for accidental security breaches.
  • Always protect sensitive informationThe sensitive information contained in your business will be at rest or in motion. Your staff must ensure that encryption is used to ensure these databases are secure from accidental or malicious attack.
  • Secure portable devices and mediaAs more of your business's employees work remotely and use their own devices, your security protocols must encapsulate these devices. Staff must have the knowledge and skills to protect the data they are using on the move.
David Howell

David Howell is a freelance writer, journalist, broadcaster and content creator helping enterprises communicate.

Focussing on business and technology, he has a particular interest in how enterprises are using technology to connect with their customers using AI, VR and mobile innovation.

His work over the past 30 years has appeared in the national press and a diverse range of business and technology publications. You can follow David on LinkedIn.