The most dangerous hacker: your colleague
Chinese or Russian hackers may be targeting your data, but they are far from the only or even the most important threat to your company’s cyber security. Most organisations fall victim to considerably more mundane techniques such as social engineering via phishing, or even insider threads. In the latter case, the threat comes from within, but that doesn’t necessarily mean that your business has to contend with a malicious mole. Nonchalance or ignorance are just as great risks. How do you arm your organisation and your employees against this?
A study by IBM Security conducted by the Ponemon Institute shows the reality of insider threats. The 204 organisations surveyed all faced an insider threat at least once in 2019. Since 2016, the number of cases of insider threats has tripled and the cost has doubled.
Fraudulent smugglers and victims of hacking
The term is very broad: an insider threat is any digital threat that comes from inside your company. You may have to deal with a disgruntled employee who wants to smuggle out sensitive data such as trade secrets and intellectual property. It doesn’t have to be a secret agent. Someone who joins the competition is more realistic. Or perhaps an enterprising colleague might get it into his or her head to earn a few extra bucks by mining crypto coins through the company server. Even leaving aside the security problems, the electricity bill is a problem in itself.
Reality is often more boring. Think of an employee who gets caught by an external attacker, and sends false information or adjusts billing information in good faith so that the next payment to a supplier ends up in the criminal’s account. Perhaps a hacker abuses your colleague’s mailbox by logging in using the simple password that he or she has been using everywhere for 20 years, and which has since been circulating smoothly on the dark web. The attacker doesn’t even have to be a seasoned hacker: a thief can steal a company laptop on the train and do some insider damage.
The right security tools
Unfortunately, it is all too easy to imagine realistic scenarios in which your company’s security is threatened from within. This is worrying, because the internal security of many companies is not designed for this. From an IT security point of view, security is still too often at the perimeter: there is a large digital wall around the company, but whoever gets through the gate has virtually free rein. From a human point of view, employees are for understandable reasons less suspicious when they receive an e-mail with a question from a colleague.
The solution is also on two fronts. On the technical side, it is important to secure not only the perimeter of your organisation, but also sensitive data, endpoints and the network. Make sure employees have clearly defined roles, with only the necessary access rights. Not everyone should be able to log in from home to the server containing company secrets, and the intern who comes to organise digital photos certainly does not need access to the supercomputer in your basement. Important files can be monitored with the right software. This way, an alarm goes off when someone tries to exfiltrate data via an external hard disk or an e-mail to a personal address. Various security specialists, but also Microsoft itself, have handy software for this.
Training and testing
Technical solutions mainly help against rogue insiders who really have bad intentions. For other forms of insider threats, it is important to raise the awareness of your employees. That is easier said than done. A threat can indeed come from anywhere, but a culture of deep-rooted mistrust of your fellow employees around the coffee machine brings its own problems. Fortunately, there is a middle way.
Get an email from your colleague asking to update the billing details of an important client? Then take a walk to his or her desk, or make a quick call via Teams or Zoom to confirm. Is someone asking for access to certain files or a server? Then think about why they’re asking, and double-check with a manager and the colleague in question. There might be a good reason why the person has not been given access by IT.
You don’t create such awareness through a single seminar. Organise training and test people on a regular basis, so that double-checking becomes a reflex in cases where money or sensitive data are involved. Everyone must realise that information is not necessarily reliable, just because it comes from a reliable e-mail address. Emphasise that the aim is not to mistrust your colleagues, but to work together to ensure that a sneaky attacker does not steal the team-building budget and the blueprints for a revolutionary new electric scooter.