How MSPs can help businesses identify insider threats

grafitti of a spy on a wall

COVID-19 has affected the security posture of many organisations. Partly resulting from the need to shift workloads to the cloud, there’s been a surge in ransomware attacks.

While the sums that hackers demand have roughly stayed the same, the average cost of downtime has doubled and is now 50 times greater than the ransom itself, according to recent findings. Consequently, four in ten MSPs have seen their clients hit by downtime that almost crippled their business. Insider threats are certainly contributing to this ransomware problem, and they are only likely to increase over the next year.

A mole on the inside

They normally come in two forms. The first involves a colluding insider who’s being forced, or paid, to share information or execute illegal acts. For example, an employee on a £34,000 salary could be lured by a cyber criminal to facilitate an attack by - seemingly unintentionally - opening a bad link, installing software or providing access to business information for a promised payout of £200,0000. If the employee believes it’s possible not to get caught, he or she might feel his action presents a fairly low risk for a large reward.

This scenario may sound like the storyline of a low-budget film, but only last summer, Tesla made the headlines when a ransomware group approached one of its employees with an attempted bribe. According to reports, the group offered the Gigafactory employee $500,000 in cash in return for installing malware on Tesla’s network, using either a USB drive or an email attachment. Luckily for Tesla, the employee turned down the offer and alerted his employer instead – but this story is a cautionary tale for other organisations.

By far the largest proportion of insider threats, however, are accidental. Coming from employees who aren’t being intentionally malicious, they’re down to user error or sheer lack of knowledge - with users making basic mistakes that leave the door wide open to attackers.

One example is an employee reusing credentials across personal and business accounts. Recycling passwords is, of course, never a good idea; having the same password for an online gaming site and access to the work computer is downright reckless. The gaming site is hacked, the harvested credentials are sold on the dark web, and they end up in the hands of a would-be attacker, who uses them to phish for elevated access rights within an organisation and launches his successful ransomware campaign.

The attack might have been thwarted had the organisation implemented two-factor authentication or encouraged the use of secure password managers, making them available for employees’ personal use, too. Education, training and clearly communicated security processes go a long way in preventing these types of attacks.

Monitor for signs of mistrust

One first step is to identify which staff members are potentially most open to bribery due to the fact they’re financially vulnerable. Law and finance firms routinely perform credit checks on candidates and are legally required to do so. Other businesses might also consider asking for permission to run a credit check before offering someone a job.

The second step is to have a formal employee engagement programme in place to measure and improve employee satisfaction. Track comments made about the organisation on social media, and make sure employees understand what information not to share. Social engineering tactics used by attackers often focus on disgruntled employees, so know who is at risk and, if needed, increase monitoring of that user’s endpoints. Lower the threshold for triggering security alerts – for example, when USB drives are connected or traffic to unusual IP addresses is detected.

Thirdly, carefully monitor shadow IT to understand where data is entering and leaving your client’s environment. Put controls around any tools accessed by employees, including chat platforms that haven’t been permitted for use. Collaboration tools such as Microsoft Teams and Slack have seen a surge in popularity, but pose a new risk because most users will automatically assume that the content they receive and share on these platforms is safe.

Finally, make sure users are fully aware of the security controls that are in place. Instead of creating fear, explain how threats are monitored for the protection of both the business and its employees. Train users to forward anything suspicious to the security team for examination, and create a culture where it’s safe to admit that you have fallen victim to phishing. The security team can reset stolen credentials within seconds, stopping any follow-on attacks in their tracks.

Ultimately, minimising the insider threat comes down to ensuring your staff are happy, well-paid, and security-aware. A high level of transparency encourages everyone to adhere to security standards. And for those few with malicious intent, knowing that they may get caught will make them less likely to agree to risky behaviour.

Ryan Week is CISO at Datto