How to destroy a company from within
Series of reports find that the insider threat is perceived to be the greatest, with 49 per cent of IT security pros more concerned about internal threats than external ones.
It’s normally elite hackers that grab the headlines, usually with another high-profile breach of a household name - see TalkTalk, Yahoo and the UK’s National Lottery, to name a few from recent weeks alone. However, it’s often the people within your organisation that are just as likely to cause you security issues, as a new report has quantified.
The researchers found that 49 per cent of IT security professionals surveyed are more concerned about internal threats than external threats. More specifically, malware installed accidentally by employees was the top concern of respondents (73 per cent), ahead of stolen or compromised credentials (66 per cent), stolen data (65 per cent), and abuse of admin privileges (63 per cent). Given the rise in ransomware of late, that first figure is certainly understandable, although the abuse of admin privileges is a slightly more knotty problem.
Interestingly, the gullibility of employees was assessed recently by another team of researchers, who found that while the public perception of a scam victim was likely to be older, poorly educated and have lower earning power, the reverse is often actually the case. The Better Business Bureau study found 69 per cent of online scam victims are under 45, and that millennials are far more likely to get conned than baby boomers. This last stat is thought to be due to a psychological condition called the "invulnerability illusion", where in this case, younger people are more comfortable with the online environment to begin with, and bolstered by the assumption that the old and stupid are the most at risk, accidentally download malware the most regularly - like the “good drivers” who proved the most resistant to wearing seatbelts.
Overall, the researchers for Dimensional Research found that the vast majority (87 per cent) of security professionals were kept awake at night by these naive individuals (38 per cent) or employees who bend the rules to simply get their jobs done (49 per cent), rather than nation state sponsored super hackers. Interestingly, a mere 13 per cent are worried about malicious insiders deliberately wrecking the farm. Of course, this last case is much harder to protect against, as this interesting tale of a fake website defacement illustrates.
As Ilia Kolochenko, CEO, High-Tech Bridge said: “In the past, I have already written about professional Black Hats and cyber mercenaries using DDoS attacks to hide major data breaches, but cybercrime’s brand theft committed by insiders is a relatively new and probably an emerging trend we didn’t observe a lot in the past.
“The scope of digital attacks, their vectors and sophistication become more and more complicated these days, however do remember that corporate cybersecurity is not a rocket science and can be managed pretty well using a common-sense approach.”
Perhaps more tellingly, the report found that security pros are seriously struggling to respond to internal threats as a whole, with 91 per cent reporting that insiders have access to systems they shouldn't, and 70 per cent saying they can't effectively monitor privileged user activities.
The clear trend among security professionals is to report that security risks coming from inside the organization are on the rise. More than half (57 per cent) say that insider threats have increased over the past few years, with only 9 per cent saying that the trend is decreasing. Interestingly, among that 9 per cent that said their insider threats are decreasing, most reported that they use tools to automate discovery and response to insider threats, possibly indicating that a recent investment in solutions may be driving that decrease.
In a final note of light desperation, although 95 per cent provide end user security training, only 10 per cent believe that it is very effective. A savage condemnation of the training budget spend, if nothing else...