Internal cyber attacks against companies are an increasing threat that costs tens of billions of dollars a year worldwide, can destroy companies, and sink the careers of many senior executives, warn Professor David Upton, of Saïd Business School, and Professor Sadie Creese, of Oxford’s Global Cyber Security Capacity Centre, in a new Harvard Business Review article.
Their study found that while many organisations are intensifying their defences against external attack, these widely used safeguards are often ineffective against attacks involving insiders. Such attacks from insiders, be they from employees, suppliers, or other companies legitimately connected to a company’s computer system, pose a more pernicious threat than external attacks.
Cyber attacks on corporations are on the increase. The 2013 cyber attack on Target, where Russian thieves compromised point of sale information, left the company with a potential loss of $420 million, and affected 70 million customers, made headline news. What is less well known however is that this attack came through an unwitting vendor who had authorised access to Target’s computers, and as such was an insider in their ecosystem.
Over the past two years Professor Upton and Professor Creese have led an international research project whose goal is to provide a significant step change on insider threat prevention and detection so companies can be better protected. The study found that many managers were ignorant of the threat of insider attacks and the risks it posed from fraud, sabotage, intellectual property theft, and corporate terrorism.
The key to reducing their vulnerability, they say, is to adopt the same approach companies applied to improve quality and safety at the end of the last decade. They recommend removing the reliance on the IT team and making it everyone’s responsibility to ensure critical assets are protected, proposing five steps that managers should implement immediately to reduce the risks:
1. Adopt a robust insider policy. Introduce a clear and concise policy to address what people must or must not do to deter insiders who introduce risk through carelessness, negligence or mistakes. The rules must apply to all levels of the organisation and employees should be given tools to help them adhere to the policy (such as on-screen warning messages). The policy should regularly be reinforced with information sessions and internal communications campaigns.
2. Raise awareness. Be open about likely threats so staff can detect them, and customise training to take into account the kinds of attacks they might encounter, such as phishing: phony emails which trick staff into sharing personal details or access codes, or downloading malware when a link is clicked. Encourage employees to report unusual or prohibited technologies or behaviour - such as the use of portable hard drives or asking for confidential data files.
3. Look out for threats when hiring. Adopt screening processes and interview techniques designed to weed out potential threats before they become privileged members of staff. Examples include criminal background checks, looking for misrepresentations on resumes, and techniques that assess a candidate’s moral compass. During the interview process managers should also assess cyber-safety awareness.
4. Employ rigorous subcontracting processes. Organisations must ensure that suppliers or distributors don’t put them at risk or create a back door to their systems. It’s therefore imperative that managers seek out partners and suppliers that have the same risk appetite and culture, and audit them regularly to ensure practices are maintained; if necessary screen their employees for criminal records, check candidates employment histories, and monitor access to its data and applications for unauthorised activity.
5. Monitor employees. The researchers recommend using readily available security software to monitor employee activities, such as accessing websites, yielding important information that will help detect danger. Regular risk assessments will identify the source of any threat, vulnerable employees and networks, and the possible consequences if a risk becomes a reality.
“We have burglar alarms installed to prevent people breaking into our houses,” said Professor Upton. “But it’s the people we let through the door that are the problem. It’s the same for organisations. The principles used to defend against external threats just don’t work with insiders. In recent years businesses have been letting more people into their houses – be it through the use of cloud services, Google drives, employees bringing their own devices to work, or through the proliferation of social media and use of big data. Though these people may have a legitimate access to an organisation’s cyber-assets, the scope for them to exploit this or be exploited is hugely increased.”
“We found wide-scale global ignorance of the nature of the threat organisations face from internal attack, leaving corporate assets vulnerable, jobs and bonuses insecure, and reputations at risk,” said Professor Creese. “We are now expanding the initial survey of 35 companies to 5,000 which will enable us to develop models to detect threats more accurately, faster and earlier than current solutions, and to help us develop education and awareness materials to help transfer knowledge and management skills to stakeholders.”