Don’t Ignore the Insider Cyber ThreatDirector of the Centre for Cyber Security at University of Johannesburg
Company boards and CEOs are having sleepless nights thinking about the risk of cyber attacks and the impact such attacks can have on their companies. Some spectacular cyber breaches have occurred in the last few years, and many reports indicate that the risk of cyber attacks is increasing at an alarming rate. The World Economic Forum’s Global Risks 2015 Report assigns cyber attacks a rating of 5 (on a scale of 1 to 7, with 7 being a likely risk with massive impact) when it comes to likelihood and impact.
Cyber attacks come in different forms and sizes, and cyber criminals have a wide range of attack vectors they are using to compromise a company’s electronic assets.
One of these attack vectors that is easily overlooked is the so-called “insider threat.” This refers to cyber attacks against the company originating with employees.
It is important to distinguish between external cyber attacks and insider cyber attacks. External cyber attacks originate from outside the company, but may target the employees of the company. Phishing—specifically spear phishing attacks—is a well-used attack method. The targeted employee reacts and is caught by the attack mostly because of a lack of awareness and knowledge about such attacks. These employees do not originate the attack, but rather are the targets of the attacker. Often these attacks are categorized as insider cyber attacks, but that is not really correct.
Insider attacks originate from within the company, executed by a person who is in general authorized and trusted to access a company’s electronic assets. The employee himself or herself is, “the threat originating from inside.”
Insider threats are more difficult to counter and cannot be addressed by technology alone. A much more non-technical and human-oriented defense approach is required. Cybersecuring a company against insider threats is a difficult process; very often, companies do not even take insider threats into account because they are focused on stopping external intruders.
If we broadly define an insider as a permanent employee who has authorized access to a company’s information systems and electronic assets, then we are already underestimating the risk. Insiders include anyone who has logical access to the company’s electronic assets. This can include third-party contractors, visitors and temporary employees.
The biggest insider risk is probably the disgruntled employee who, for whatever reason, deliberately decides to steal and compromise his or her company’s electronic assets. Newer technologies make this so much easier; a single USB memory stick can contain a massive amount of information and is so small that the chance of preventing it from leaving the company premises is extremely unlikely. And if discovered, the employee can easily claim that he is taking it to work on the data at home.
The availability of personal cloud-based storage platforms makes it even easier to send data and information outside the company without physically having to possess it. In addition, the very popular bring-your-own-device approach is also a contributing factor when worrying about the insider threat.
Countering the Insider Threat
Implementing fail-safe countermeasures to completely prevent insider threats is impossible. So what can be done to address this insider risk? What basic countermeasures can a company have in place?
It seems logical that the more a company can trust its employees, the less it has to worry about an employee “going rogue” and becoming an insider threat. A good way to start is to do as much as possible to manage an employee’s complete employment cycle from pre-employment to employment termination.
The international standard ISO/IEC 27002, jointly published by the International Organization for Standardization and the International Electrotechnical Commission in 2013, is dedicated to specifying controls that can be implemented to create a secure information and cybersecurity environment. The standard consists of 14 security control clauses and 114 security controls.
Control clause 7 on Human Resource Security (HRS) is specifically relevant to the aspect of insider threats. This clause covers HRS with respect to security controls, organized as follows:
- Prior to employment: Here, the aspect of pre-employment screening is emphasized and solid guidance is provided on what should be covered during the pre-employment phase.
- During employment: This phase includes security awareness, education and training as well as disciplinary actions for non-conformance to security and company policies.
- Termination and change of employment: Here, the important aspect of termination of logical access rights and related matters are covered.
Clear guidelines are provided on how to implement the suggested security controls specified in the clause.
Companies should study this ISO Standard—specifically clause 7—in detail and implement the proposed security controls. This will go a long way to address aspects of insider threats.
This simple three-step approach will help any company address the potential of insider threats:
- Be aware of insider cyber threats as a significant cyber risk to the company and take them seriously.
- Although technical countermeasures do play a role, approach insider cyber threats from non-technical angle.
- Use the controls of clause 7 of ISO/IEC 27002 as the basis of the company’s approach to insider threats.