Firms warned that cyber-security breaches could be an ‘inside job’

Cyber
Tom Huckle

Cyber security breaches at any firm could be an inside job, a cyber security consultant has warned, offering seven protective measures businesses can implement.

Tom Huckle, Lead Cyber Security Consultant at Crucial Academy, says an ‘inside job’ brings up images of bank raids and heists, but in the modern world urges companies to think just as seriously about the cyber threat coming from within their own business.

He said: “The possibility that a breach or a cyber attack could be down to an employee or former employee is growing all the time. It could be a malicious attack from a disgruntled member of staff who has recently been sacked or who has a grudge against the business, for instance.

“But more often the threat comes from the unintentional actions of untrained employees which put the business at risk and create cyber vulnerability. It is well known that a high percentage of data breaches are down to human error or lack of awareness – and cyber predators are ready to take advantage.”

Key tips to preventing an inside job – and dealing with it efficiently if the worst happens…

1 Start with the basics – train your staff to spot a phishing email: Phishing is an extremely simple scam which is easy to avoid with the correct training. However, approximately 94% of malware enters a network via this method.

Phishing emails are becoming more sophisticated, deliberately targeting staff with messages that appear to be addressed to them individually from clients or suppliers. Many include attachments which mimic anything from invoices to tax documents. Conducting fun, interesting and easy-to-implement staff training on a regular basis is key.

2 Ensure former employees do not have access to files and systems: A fired employee can be significant insider threat if they are able to access files and systems.

A Removing Access Policy and/or an Employee Termination Policy should be in place in advance. When an employee leaves the business, all access should be quickly removed. Not just to the building but to devices and software.

3 Utilise PoLP to limit access to the essentials, especially for short-term staff: When workers only stay in post for a matter of weeks or months a Principle of Least Privilege (PoLP) policy is an absolute essential.

This system sees a new arrival start with no privileges and only receive access to systems and files they need to do their job. It may seem a simple principle, but it takes planning because many security systems assign rights in groups rather than to individuals.

Businesses should map all job functions and what privileges they need – and avoid assigning privileges to guests, members of the public or those who do not need them.

4 Have a plan in place to deal with an insider incident: Companies need to be able to initiate security controls as soon as they suspect an employee or employees may be a threat to the business.

This can involve invoking or honing monitoring tools to begin to gather evidence and determining the threat and scale of the incident. Coordination with legal counsel can be initiated early to address privacy, data protection and legal responses.

Suspected employees could have their accounts frozen or they could be placed on forced leave or job rotation to allow for a forensic investigation to take place.

5 Be aware of what lack of preparation means: For those organisations without the appropriate controls in place, the scenario may play out very differently.

It can result in increased damage to the business in terms of data stolen and reputation lost. Falsely-accused employees may take legal action against a business, whilst distrust of the organisation may arise amongst other employees.

GDPR is also an important issue to consider in advance. The regulation threatens fines of up to 20 million Euros or 4 per cent of annual global turnover for businesses which suffer data breaches. It also sets out a strict time frame for the reporting of breaches – normally within 72 hours. So, it is not only vital for businesses to be GDPR compliant but also to have clear and tested procedures in place for when things do go wrong.

6 Use advance checks to reduce risk during recruitment: Thorough background and reference checks in advance of employment are some of the best methods employers can use to reduce insider threat. Always take up references.

7 Consider pros and cons of hiring external consultants to investigate internal threats: The advantage of hiring external consultants to help detect malicious employee behaviour is that they hold no loyalties or bias and cannot be influenced by people within the business.

They can also have knowledge and expertise that may not be present within the business and be able to see gaps in the business’s current cyber security policies that current staff are not aware of.

The downside is that, if the external consultants are not supported at the highest levels within the business, they can become hamstrung with internal politics. Without the authority to interview employees across the business and delve into its inner workings, they can be impeded by individuals who may not want them to advise new security controls (especially if they cause jobs losses or a restriction on current working practices).