For enterprise-level organizations, it’s no longer enough to protect data and systems from nefarious external agents. Organizations must also implement defensive measures to protect themselves from something much closer to home: insider threats.
Internal cyber attacks happen inadvertently or on purpose. We want to share the four types of insider threats and some defensive measures that help organizations reduce the risk of these threats.
Two types of accidental insider attacks
Instead of jumping into a zero-trust environment that’s so restrictive it hampers productivity and user-experience, remember that most of your employees and trusted partners do not have malicious intent. Inadvertent or unintended insider attacks happen because the insider is oblivious or negligent.
An oblivious attack is when someone with access to company information is compromised by an outside agent but doesn’t realize it. This can happen when someone leaves a company device unattended or uses unencrypted Wi-Fi on a company device.
A negligent attack is when someone bypasses a security protocol, often to speed up a work process or because of a lack of knowledge about the security protocol. When employees lack proper security training, they’re more vulnerable to phishing and spear phishing attempts.
Two types of intentional insider attacks
The two primary types of intentional insider attacks come from malicious and professional attackers.
A malicious attack comes from an insider who becomes disgruntled and goes rogue to get even with the company for a real or imagined offense. This could involve stealing data or sabotaging a company network or system.
A professional attack comes from an insider who is a career thief. This involves exploiting system vulnerabilities for profit.
External attacks through the inside
While blunt force attacks remain a common threat at the gates of any firewall, there are also ways for malicious actors to attack your company through the inside. Called social engineering attacks, a hacker might impersonate someone at an organization via stolen credentials, stolen information or supply chain attack. A smart air conditioning unit, for example, might be connected to an organization network, creating a third-party backdoor vulnerability bypassing frontline defenses.
Five ways to minimize the risk of insider threats
With all these foxes in the hen house, organizations are wise to take a defensive approach to insider threats.
- Get the Board on board – Even in 2019, it’s common for boards to not ask about or understand cybersecurity. Rafael Narezzi, a prominent Cyber Security Strategist, suggests that everyone on the Board of Directors must “understand what [cybersecurity] is. Not in deep technical talk but the consequences for the business if they don’t act.” When the Board and senior leadership team understands the cost and consequences of cyber threats, there will be more support for cybersecurity initiatives.This lack of attention is more common than you’d probably guess. PwC’s Global Economic Crime and Fraud Survey 2018[i] found that less than half of surveyed organizations had conducted a cybercrime risk assessment. This is despite cybercrime being one of the top three most reported frauds!
- Use an effective and user-friendly encryption solution – It’s imperative that organizational data is secured because so many insiders have access to it and sending that sensitive information to clients, vendors and partners is a regular part of doing business.Features to look for in an enterprise-level encryption solution include:
- Automatic encryption policies that apply encryption under defined circumstances (such as when certain information or keywords appear in an email).
- Multiple flexible delivery methods for different types of secure encrypted communications that allow the sender to control how a message is sent and whether to include features like a time limit.
- Easy and frictionless user experience for employees and customers.With a frictionless user experience—for example, with the Echoworx One World encryption platform—employees are less likely to bypass security protocols because they’re built into regular workflows and don’t make security a burden for senders or recipients.In addition to reducing risks to insider threats, there are financial benefits to adopting a flexible, frictionless encryption solution. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can enjoy $2.7M in cost-mitigating benefits through employing our flexible OneWorld encryption solution. Get the full Forrester Total Economic Impact™ study of OneWorld now.
- Educate staff on cybersecurity – Even though employees know why they shouldn’t open attachments and click links from strange emails or use “p@ssw0rd” as a password, they’re still vulnerable to attacks because cybercrime is increasingly sophisticated. To change that, make sure all employees take part in regular and effective cybersecurity training that helps them understand why it’s important, how to implement security measures at work and how to spot sophisticated phishing and spear phishing scams.Training can include tests and tricks. A good trick involves sending a fake phishing attempt to staff to reinforce real-world lessons from the cybersecurity training.
- Build security into all products and processes from the start – Train developer teams to create products that are secure by design. Frédéric Virmont, a cybersecurity industry expert, says, “Security is like quality; it must be from the beginning to the end of the life cycle. For developers, now we have tools where they can code and check security along the way. If you wait until the end of the product, it’s too late. Once the house is built, it’s too late to add emergency exits.”This idea includes permissions architecture. A non-secure design gives all users access to more data than necessary. To be security minded, create a permissions architecture that gives access based on needs and roles. For example, the chief marketing officer wouldn’t have the same permissions as customer service agents.
- Make cybersecurity the path of least resistance for all users – Like it or not, we do what’s easy. For organizations, this means that overly-complex data security protocols hamper adoption. Because cybersecurity methods only work when staff and customers use them, user-experience must always be considered and prioritized.Going back to the encryption example above, we’ve found that a lot of internal users are reluctant to send encrypted emails because they don’t know how to encrypt them or don’t like the spammy look for their recipient. These are two unnecessary barriers that get in the way of frictionless security and set the stage perfectly for negligent insider attacks.
Insider threats are real and a recent PwC report in the US found that 32 per cent of respondents consider insider threats costlier and more damaging than external incidents.
By taking a security approach that involves a frictionless encryption solution, security by design (and the path of least resistance) and effective education for staff and the Board of Directors, your organization can minimize risks associated with malicious and unintentional insider attacks.
Given all of the above, is why at Echoworx, encryption is all we do. Our OneWorld encryption platform and cloud security services are a natural extension to existing security programs and offers a wide range of flexible options for secure message delivery. You can learn more about the benefits of Echoworx OneWorld encryption here.
By: Brian Au, IT Specialist, Echoworx
————————
[i] https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime-survey.html
