Seven top tips on how to prevent and cope with an insider threat
By Tom Huckle, Lead Cyber Security Consultant, Crucial Academy
An inside job brings up images of bank raids and heists but in the modern world companies should be thinking just as seriously about the cyber threat coming from within their own business.
The possibility that a breach or a cyber attack could be down to an employee or former employee is growing all the time.
It could be a malicious attack from a disgruntled member of staff who has recently been sacked or who has a grudge against the business, for instance.
But more often the threat comes from the unintentional actions of untrained employees which put the business at risk and create cyber vulnerability.
It is well known that a high percentage of data breaches are down to human error or lack of awareness – and cyber predators are ready to take advantage.
Here are seven key tips to preventing an inside job – and dealing with it efficiently if the worst happens…
1 Start with the basics – train your staff to spot a phishing email
Phishing is an extremely simple scam which is easy to avoid with the correct training. However, approximately 94 per cent of malware enters a network via this method.
Phishing emails are becoming more sophisticated, deliberately targeting staff with messages that appear to be addressed to them individually from clients or suppliers. Many include attachments which mimic anything from invoices to tax documents.
Conducting fun, interesting and easy-to-implement staff training on a regular basis is key.
2 Ensure former employees do not have access to files and systems
A fired employee can be significant insider threat if they are able to access files and systems.
A Removing Access Policy and/or an Employee Termination Policy should be in place in advance. When an employee leaves the business, all access should be quickly removed. Not just to the building but to devices and software.
3 Utilise PoLP to limit access to the essentials, especially for short-term staff
When workers only stay in post for a matter of weeks or months a Principle of Least Privilege (PoLP) policy is an absolute essential.
This system sees a new arrival start with no privileges and only receive access to systems and files they need to do their job. It may seem a simple principle, but it takes planning because many security systems assign rights in groups rather than to individuals.
Businesses should map all job functions and what privileges they need – and avoid assigning privileges to guests, members of the public or those who do not need them.
4 Have a plan in place to deal with an insider incident
Companies need to be able to initiate security controls as soon as they suspect an employee or employees may be a threat to the business.
This can involve invoking or honing monitoring tools to begin to gather evidence and determining the threat and scale of the incident. Coordination with legal counsel can be initiated early to address privacy, data protection and legal responses.
Suspected employees could have their accounts frozen or they could be placed on forced leave or job rotation to allow for a forensic investigation to take place.
5 Be aware of what lack of preparation means
For those organisations without the appropriate controls in place, the scenario may play out very differently.
It can result in increased damage to the business in terms of data stolen and reputation lost. Falsely-accused employees may take legal action against a business, whilst distrust of the organisation may arise amongst other employees.
GDPR is also an important issue to consider in advance. The regulation threatens fines of up to 20 million Euros or 4 per cent of annual global turnover for businesses which suffer data breaches. It also sets out a strict time frame for the reporting of breaches – normally within 72 hours. So, it is not only vital for businesses to be GDPR compliant but also to have clear and tested procedures in place for when things do go wrong.
6 Use advance checks to reduce risk during recruitment
Thorough background and reference checks in advance of employment are some of the best methods employers can use to reduce insider threat. Always take up references.
7 Consider pros and cons of hiring external consultants to investigate internal threats
The advantage of hiring external consultants to help detect malicious employee behaviour is that they hold no loyalties or bias and cannot be influenced by people within the business.
They can also have knowledge and expertise that may not be present within the business and be able to see gaps in the business’s current cyber security policies that current staff are not aware of.
The downside is that, if the external consultants are not supported at the highest levels within the business, they can become hamstrung with internal politics. Without the authority to interview employees across the business and delve into its inner workings, they can be impeded by individuals who may not want them to advise new security controls (especially if they cause jobs losses or a restriction on current working practices).
About Tom Huckle
Tom Huckle – Lead Cyber Security Consultant and Head of Training and Development at Crucial Academy
Tom Huckle is a digital security specialist and Lead Cyber Security Consultant at Crucial Group, a professional information technology and services company providing cyber security & GDPR consulting, cyber security training and a state-of-the-art academy in the advanced technology markets.
Prior to joining Crucial, Tom was part of the Global Attack Monitoring Team at Barclays Bank, where he was responsible for cyber-attack monitoring, cyber threat hunting, proactive defence, alongside network and host intrusion detection. He also held a number of senior positions at the Ministry of Defence during his eight-year tenure as well as holding the role of cyber security consultant at Corporate Security Consultants.
After leaving University, Tom joined the Royal Marines, where he served for eight years, rising to the rank of Captain and leading teams in high risk areas including Afghanistan. In his final two years of service, Tom taught himself cyber security, gaining several qualifications including CompTIA Network+, Security+ and ITIL. Tom now applies his strategic planning and leaderships skills to helping businesses protect themselves against cyber-crime.
About Crucial Academy
Crucial Academy provides accredited courses in cyber security for those who have left the military or are currently undergoing resettlement. We then introduce them to a new career with one of our commercial partners. Located in central Brighton we have a state-of-the-art training facility to deliver our accredited courses in offensive, defensive, information assurance and threat intelligence courses. Our instructors live and breathe the skills and techniques our courses deliver, working in the sector when not teaching. The tutors are former military personnel who have been through the pathway we provide to get to where they are today.