In July 2012, General Keith Alexander, head of the United States spy agency the National Security Agency (NSA) described the theft of intellectual property occurring through cyber-crime as the “greatest transfer of wealth in history.”
But cyber-crime knows no borders, and businesses in the UK and the rest of the world are equally targeted by attackers wishing to steal information that can be resold or used to competitive advantage. While external attackers are often the cause of such information theft, a significant portion also arises from the activities of insiders – either maliciously stealing data or accidentally allowing others to gain access.
Worse, making a distinction between external and internal threats is becoming increasingly difficult and less and less relevant. External hackers are now highly adept at posing as insiders and this change is having a fundamental impact on how CISOs approach security planning. At the same time, it’s an uncomfortable truth to accept that there are also bad actors within companies that are intent on doing harm to the business.
As a result of these dual threats of malicious employees and internal “external” threats, the best attitude for CISOs to take is to assume that they have already been breached. The most secure organisations in the world have fallen victim to data breaches from employees and persistent and well-trained attackers. While employee breaches may occur on a one off basis, the statistics show that once in, external attackers make themselves very much at home – often operating for a year or more posing as insiders – gathering and stealing valuable information.
So the best defence is to assume threats already exist within an organisation and work from there – monitoring and looking for anomalous behavior and changes to systems that could indicate they are being used as part of an attack.
The latest Verizon Data Breach revealed some interesting insights and context to the problem of employees committing data breaches. One of the headline figures was that 14% of data breaches had been committed by organisation employees. This figure illustrates the very real threat that they pose (intentionally or not) in exposing data. In addition, the report revealed that there are certain circumstances where employees pose an even greater data breach threat.
The report highlighted that in 70% of company intellectual property theft cases, company insiders steal the information within 30 days of announcing their resignation. Such statistics reveal the value and importance businesses should attribute to monitoring privileged users. While the vast majority of employees abide by corporate rules, there is a small minority that may damage a business if they have the opportunity to do so.
A considerable amount of the data businesses hold may now fall under data protection regulations governed by bodies such as the Information Commissioner’s Office (ICO), which is increasingly punishing companies for the loss of data.
In order to avoid a breach and the penalties that go with it, one of the most important things any organisation can do is to ensure that only those with a business need can access sensitive information, and that the information is protected appropriately, ensuring that compliance obligations are met. Part of the challenge, though, is that employees often begin with very limited rights to access information, but over time acquire more and more “privileges” without those rights ever being revoked.
Employees with privileged user status needs to be monitored and managed far more carefully to ensure that they aren’t abusing those rights, or that an external attacker isn’t posing as a legitimate user to steal information. Businesses that are able to monitor activity of privileged users will be better able to spot and prevent outsiders getting in through the back door and accessing valuable resources.
A combination of real-time security monitoring tools, good access management processes, and documented access rights can significantly reduce the risk of breaches. These give IT teams the ability to quickly identify potential threats, and then take decisive action to disrupt or stop the threat, before serious harm can occur.
While taking this approach of more focused monitoring and better access controls is important now, it becomes even more so to help businesses better manage some of the big challenges they will face when their IT infrastructure becomes both more mobile and moves up into the cloud. By focusing their efforts on monitoring user activity, they are less dependent on device-centric thinking that will ultimately be unsustainable as more and more of their IT platform moves out of their control.
Businesses need to be monitoring their resources in real time to ensure that they are aware of any unauthorised activity that employees are undertaking and can act quickly to stop a data breach from occurring. Employees need to be trusted to get on with their jobs, however, modern businesses need to ensure that they have processes in place to ensure that they minimise the risk of data breaches, whether deliberate or not. And if they do experience a breach, recover as quickly as possible. With effective access governance processes in place, business can ensure employees don’t score own goals.