[BreachExchange] A company’s biggest cybersecurity threat is often inside the building

Audrey McNeil audrey at riskbasedsecurity.com
Wed Feb 8 20:42:46 EST 2017


http://www.information-management.com/news/security/a-companys-biggest-
cybersecurity-threat-is-often-inside-the-building-10030875-1.html

Think about cyber threats and most people picture sinister, anonymous geeks
feverishly typing away in a dark room as they hunt for confidential data or
strive to disrupt critical systems. But while there is truth to that image,
and an all-too-real peril, a more common and challenging security danger
may be sitting in the next cube.

The threat from insiders with authorized access to the network has become
as significant as bad actors breaking in from outside. From malware
inadvertently installed by naïve employees to stolen data to just plain
carelessness with access privileges, internal security risks are on the
rise.

A combination of factors is responsible for the new environment in which
employees are an equally treacherous cybersecurity risk as hackers – the
blurring of network boundaries brought about by cloud services, the
Bring-Your-Own-Device (BYOD) trend that gives employees the flexibility to
stay connected through their personal devices, and the rise of more
sophisticated attack methods.

And the offenders aren’t always disgruntled or deceitful employees bent on
ransacking the company’s systems; in fact, they seldom are. In most cases,
the damage occurs unintentionally or negligently, such as an employee
accidentally installing malware by clicking on a link in a fraudulent email
or workers sharing passwords to save time.

What it all means is that companies need to think differently about their
cybersecurity posture, putting as much emphasis on dangers from inside the
organization as they traditionally have placed on guarding the perimeter.
This shift has ramifications for a wide swath of the security ecosystem,
including budget priorities, product choices and employee training.

Vividly illustrating the evolving hazard, 2016 was rife with episodes where
insiders unwittingly compromised sensitive data. A few examples:

A hacker masquerading as Snapchat’s CEO emailed the company’s payroll
department requesting information for current and former employees. A team
member didn’t realize it was a phishing scam and disclosed the data to the
intruder, affecting approximately 700 workers.
Claims administration software provider Systems Software suffered a breach
that wasn’t carried out by hackers but was the result of an internal error
during a system upgrade in which data storage was set up improperly and the
information was made available on the internet.
 In one of the year’s most notorious cybersecurity incidents, a trove of
emails was hacked from the accounts of the Democratic National Committee
and Hillary Clinton’s campaign chairman, John Podesta, and provided to
WikiLeaks.  It has been widely reported that Podesta was tricked by a
phishing scheme – a fake “account reset” email purporting to be from Google.



As these events show, malicious employees are often not the biggest threat.
Rather, it’s reckless or sloppy ones who too easily fall for phishing scams
or bend security rules to cut corners and get their jobs done faster.
Examples of the latter could include sharing a username and password with a
co-worker, giving him or her unauthorized access to data, or using the same
password on multiple sites.

On the network perimeter, separating unapproved from approved users is
usually an either-or question (and most security products reflect that
paradigm). There are only so many ways for intruders to get in and, once
they do, it’s straightforward to track where they’ve gone and what they’ve
done.

In the internal network, identifying what is good or bad is a much
different endeavor. The internal network isn’t segmented in the same way;
it’s more open so employees can get their jobs done. IT sets
authorizations, but employee behavior can change for various reasons –
change in department, project, role, location, etc. And it’s hard to detect
what’s malicious and what’s not.

As companies become more aware of the internal threat, they should adopt a
strategic plan that pays equal attention to this class of cyber risk in
budgetary, staffing, product and services decisions.

They also should do more to engage employees themselves. That means more
effective training – specific and relevant to the user – and real-time
feedback when an employee does something he or she shouldn’t.

Company leaders today should make sure their corporate cultures reflect a
belief that security is everyone’s responsibility, not just the security
team’s.

Whether it’s a disgruntled employee with malicious intent or a careless
employee tricked into installing malware or even business partners that
don’t follow security policies, companies must understand the threats
lurking inside their enterprises and make addressing them a top priority.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170208/4829c2b3/attachment.html>


More information about the BreachExchange mailing list