In April, Verizon released its 2016 Data Breach Investigations Report, an annual publication which provides analysis on some of the most important trends in digital security.
Verizon's researchers studied 64,199 security incidents and 2,260 confirmed data breaches. Overall, they found that external actors were responsible for approximately 80 percent of those breaches included in the report's dataset. Internal actors caused most of the remaining breaches, though partners and collusion were also behind a few.
The notion of an insider threat might come as a surprise to some organisations. In an employer's ideal world, employees would take an active interest in doing what is best for the company. That would include helping to grow the business and advancing its information security posture.
But that's not always the case in the real world. Some disgruntled employees are more interested in sabotaging a company, whereas others simply don't care what happens to a business' sensitive property and information. Given those motivations, it's no wonder insiders caused so many data breaches in the past year.
If companies want to protect themselves against insider breaches, they need to understand how employees can undermine the security of their information. Uninformed insiders pose a serious risk to your organisation's data, it makes sense for companies to invest in staff training and eLearning solutions, to improve awareness and reduce these risks.
Here are 10 employee-based IT security risks for which employers should keep an eye out.
One of the biggest threats confronting organisations today are internal attacks. Cortney Thompson, CTO of Green House Data, elaborated on this statement for CIO:
"Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers and admin accounts, can cause serious damage…. There were rumours that the Sony hack was not carried out by North Korea but was actually an inside job."
According to Verizon's DBIR, just over a third (34 percent) of all malicious insiders are motivated by financial gain, though some (24 percent) leverage attacks to conduct espionage for a nation-state. Most of these bad actors fall into one of three categories: end users (33 percent), leadership roles (14 percent), or jobs with elevated privileges (14 percent).
Disgruntled employees steal data, code, intellectual property, and other sensitive information. They can also use a variety of tools such as email, USBs, FTP, screen shots, and mobile devices to pursue their nefarious goals, as noted by Ernie Hayden on SearchSecurity.
Insider attacks are not the same as insider misuse. Whereas perpetrators of the former intentionally seek to cause harm to an organisation, those guilty of the latter often misuse an organisation's computing resources by accident. Even so, as observed in an article published by Computer Economics, that doesn't mean insider misuse poses any less of a threat to a company.
Employees might engage in insider misuse by intentionally or accidentally engaging in unauthorised behaviour, such as by copying files to portable storage devices, using remote access programs to log into their work emails from another location, or downloading media content from questionable websites. They might also decide to use their personal computing devices for business purposes when they are strictly prohibited from doing so. Any of these actions could compromise corporate information, infect parts of the production network with malware, or cause other harm to the organisation.
In misusing IT assets, employees might inadvertently violate their companies' bring your own device (BYOD) policies.
Jason Cook, CTO & vice president of Security, BT Americas, said this risk becomes even more prominent if employees have the ability to access corporate data on their personal devices:
"Data theft is at high vulnerability when employees are using mobile devices [particularly their own] to share data, access company information, or neglect to change mobile passwords. According to a BT study, mobile security breaches have affected more than two-thirds (68 percent) of global organisations in the last 12 months."
As organisations embrace BYOD, they must find a way to address the greater risk exposure from mobile devices with unpatched software vulnerabilities and/or applications capable of installing malware onto the corporate network.
Phishing attacks pose one of the greatest IT security risks to organisations. With a simple click, an unsuspecting employee could surrender their credentials and grant attackers access to the corporate network.
Over the past year, Verizon's researchers spotted 9,576 phishing incidents, 916 of which confirmed at least some data disclosure. In 30 percent of those incidents, the target opened the phishing messages. They took an average of one minute 40 seconds to open the email and three minutes 45 seconds to click on the malicious attachment.
Depending on an organisations complexity, employees might need to access multiple online accounts on a regular basis. An organisation might therefore require their employees to frequently change their passwords in order to strengthen the security of those accounts.
That kind of policy doesn't always work in the best interest of an organisation, however. Without a password management system, employees who need to constantly come up with new login credentials will often choose weak passwords that attackers can easily guess or brute-force. Those malicious actors can then use those credentials to gain access to the corporate network and cause all kinds of damage to the organisation.
Employees can cause damage to an organisation not only by using personal devices for work but also by making personal use of a work device. That includes browsing to unsafe websites.
Security and network solutions provider Blue Coat found that one in every 20 employees in the United States has accessed adult content on a work device. The ratio is even greater for China at one in five.
While it's inappropriate for employees to view adult content on a work device, it's also extremely dangerous. Many pornographic websites hide malicious content within their URLs, which means a user could install malware onto the corporate network by clicking on a pornographic link.
The same can be said about sites that offer pirated software and movies, as Steinberg points out:
"A lot of them are actually in the business of putting malware onto computers. So it's not just the blocking for the sake of preventing the employee from doing something wrong; it's also preventing damage to the businesses computers and potentially data."
Along with visiting inappropriate websites and clicking on suspicious links, employees might install rogue programs onto their computers.
For example, if an employee needed to convert a Word document to a PDF, they might decide to install a free converter program onto their computer. That program might in actuality be a malicious tool that logs all of the user's keystrokes or installs other unwanted software onto the computer.
In some instances, the rogue converter application will send a copy of each document it receives to a random server operated by a group of attackers. Documents containing sensitive information can then be sold on the dark web or used to hack into the organisation's network.
Like most online users, employees love to log into their social media profiles. But where they sign in and what they post could pose a threat to organisations.
To illustrate, frequent users of social media are familiar with shortened links. Companies use URL shortening services to help track link click-rates on social media. However, as shortened URLs don't disclose information about their true destination, attackers also use them to trick users into visiting a malicious website. If an employee clicks on such a link while logged into one of their accounts on a work device, that could spell trouble for the organisation's network.
Additionally, what employees post on social media could pose a threat to organisations. For example, if an employee posts detailed information about their job on a social media site, an attacker could use that information to create a spear phishing email that seeks to steal their corporate credentials. Employees might also post pictures that inadvertently compromise sensitive information about the organisation, such as by putting up a selfie that includes a partial snapshot of a document containing the organisation's financial information.
Employees are not the only ones who pose a threat to an organisation. Contractors working for third-party services can also jeopardise a company's sensitive information.
Matt Dircks, CEO of Bomgar, expanded upon this point for CIO:
"As technology becomes more specialised and complex, companies are relying more on outsourcers and vendors to support and maintain systems. For example, restaurant franchisees often outsource the maintenance and management of their point-of-sale (POS) systems to a third-party service provider. [T]hese third-parties typically use remote access tools to connect to the company’s network, but don’t always follow security best practices. …[T]hey’ll use the same default password to remotely connect to all of their clients. If a hacker guesses that password, he immediately has a foothold into all of those clients' networks."
It's no wonder then that contractors without any malicious intent have caused some of the most expensive breaches to companies of all sizes, especially those that don't normally vet companies before granting them access to their network.
Employees are positioned at the front lines of an organisation's defences. As a result, they will likely be the first ones to identify a malicious insider, to come across a new phishing scam, or to spot suspicious behaviour on their BYOD device.
That doesn't necessarily help the organisation, however. Even if an employee doesn't fall for an attack, they might be complacent and not say anything. Doing nothing means another employee could fall victim to that same ploy or that malicious activity could proceed unchecked.
To check the dangers of complacency, organisations need to make sure employees take an interest in proactively reporting threats to its IT teams. That will help organisations spot threats early on and formulate a response before it's too late.
Clearly, employees can pose a series of IT security risks to an organisation. That's why security awareness training for all employees is key. Ongoing education can not only help employees successfully spot a phish, create stronger passwords, and avoid browsing to suspicious websites. It can also help them understand the organisation's corporate polices when it comes to BYOD, threat mitigation, and use of social media during the work day.
More and more organisations are turning to off-the-shelf training solutions to instruct their employees about information security and compliance issues. These solutions offer companies the ability to roll out employee training quickly and at a lower cost than if they were to develop a security training program in-house.
Metacompliance, an organisation that specialises in cyber security and compliance training software can assist security professionals to manage insider threat mitigation and educate employees to protect company assets. To achieve positive and lasting changes in staff behaviour the Metacompliance team would recommend their cyber security and compliance awareness eLearning modules.
Learn more about how the Metacompliance eLearning solutions can help your company reduce the cyber security risks posed by employees.
You Should Also Read: