Cybersecurity threats aren’t just external

by Tony Richardson CISSP

EVER HEARD OF THE TROJAN HORSE?

Just like the infamous structure, attackers can lure unsuspecting colleagues into revealing all sorts of information. Malware can attach itself into devices employees take into work with them and end up in the middle of company IT systems, unleashing all manner of damage to them. 

This example is a hybrid external, internal attack however the moral is the same. Being that you should take great care when devising and implementing cybersecurity measures. Don’t just think about threats from outside; think about threats from inside the box. 

One of the most overlooked sources of cyber attacks is from internal bad actors – those within your business. These events can be with or without malicious intent, in fact more often than not they’re simply mistakes made by the employee. 

Insiders pose a unique cybersecurity threat to companies because they have access to sensitive information that can be used for malicious purposes. These individuals may also work with outside hackers when carrying out attacks, making it difficult if not impossible to detect what is going on inside your organisation before too much damage has already been done. However, there are some steps you can take to prevent, mitigate and resist damage to your business.

What’s the most dangerous threat to your company? 

Well, if you’re clued up about cybercrime – like us – then it just might be insider threats – threats coming from within your organisation. Keeping that in mind for a moment…all organisations are vulnerable because they trust employees with important information such as company data, documents about magic ingredients and fiscal departments with some direct access to company funds and accounts. What kind of mischief can take place there without being detected until it’s too late. 

Answer: A lot, if you don’t take proper steps to secure your business. 

What threats look like?

Types of Insider Threat

“Shadow IT”

The use of unapproved software and applications can create a serious security blind spot for an organisation, making it easy for any threat actor to access the company’s network or data. Applications, devices and programs that are not monitored by IT departments are often referred to as ‘Shadow IT’, are they present a huge risk because your business has no control over them. 

Weak passwords and lethal links within these off-grid systems can lead to terrible outcomes.

“Social Engineering”

People often rely on the trust of others. They also expect others to experience emotions like fear, panic, sadness etc. These emotions can be and are manipulated by cybercriminals for their own gains. Tasks such as downloading malware or spilling sensitive information about an employee’s job role to take advantage of them can be cleverly knitted into a hacker’s communications when they’re impersonating a colleague or company official. Being wary of social engineering will help you to stay protected from such threats. 

Data Sharing

Even the most die-hard fan working in your company could unintentionally share sensitive data with individuals outside its boundaries. This creates a severe risk for you, as it allows outsiders access to confidential information about all sorts of secrets, private information and sometimes financial accounts. 

In an even more terrifying scenario the employee may not realise that their keystrokes are being recorded by a keylogger for any number of – usually sinister – reasons. 

Unauthorised devices

In today’s world of Bring Your Own Device (BYOD), millions more employees are using personal devices to work from home. These gadgets may be inadequately secure, creating risks like malware attacks and virus infections that could infect your company data if it isn’t encrypted properly. 

In other cases the victimised employee could be a real life trojan horse, inadvertently introducing an infected device, application or scam to your business premises when they bring their device from home, potentially wreaking havoc across the businesses’ systems.

Theft

Theft of devices is a growing problem in the workplace. Employees have access to an array of tools that can be easily removed from their place at any time, which makes them susceptible for possible data breaches and cybercrimes when they leave without telling anyone else about it or return something later on down the road with a never ending list of excuses. Theft isn’t only a problem because of the crime the employee is committing and the likely sacking and HR work needed to replace them; it’s a cybersecurity risk.

A 2021 report from Cybersecurity Insiders also suggests that 57% of organizations feel insider incidents have become more frequent over the past 12 months.

“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.” 

 Dr. Larry Ponemon, Chairman, Ponemon Institute

Internal Threat mitigation and defence strategies

Training

To reduce internal cybersecurity threats, take steps to implement comprehensive training for employees. In doing so you can also ensure the safety and peace of mind that comes with knowing your staff is trained, helping to decrease risks – especially when you consider that 95% of data breaches are due to human error.

Generally speaking, staff need to be taught about; 

  • Phishing attacks – links and attachments
  • Creating strong passwords that differ across accounts
  • Never sharing passwords or devices
  • Using only trusted and secure wi-fi accounts
  • Protecting personal devices and encrypting them
  • Backing up files.
  • Keeping proprietary information confidential.
  • Updating technology and software regularly.

Training employees about potential threats and attacks is an important aspect of securing your business 

Access Control

The goal of access control security policies is to prevent unauthorised individuals from accessing company assets. To do this, it’s important that only those who have been granted permission are allowed entry into a specific area or platform – and they should be confined by rules about what resources they can use while there as well. The “least privilege” principle suggests creating a ‘hierarchy of access’. For example, by following this rough framework: limited permissions at the highest level (elevated privileges), then increasingly restricted access down through lower levels of the company until no more access privileges are available is a good way to go. You could decrease your risks substantially by following a similar framework. 

Security Protections

The following are some of the most popular security tools that an organisation can use. Antivirus software, firewalls and EDR/DLP toolkits will help protect against malicious insider threats from within your company’s wall. Such security systems are also great against malware attacks originating externally or on employees’ computers outside work time where sensitive information could be leaked. 

Shadow IT audits

Shadow IT is a huge problem for companies, especially those that have lax attitudes towards the issue. A simple audit can help an enterprise understand how many shadow IT assets their employees are using and what these programs entail so they know whether or not it’s worth taking action against them.

Encryption

Data encryption is a must for any organization. It ensures the safety of data, especially in case if an employee turns malicious or there’s some other unforeseen circumstance leading to cyberattacks on your company infrastructure. Encrypting all devices helps protect everything from emails and documents to all sorts of background files within a desktops folders’, even after theft. Enabling remote wipes where information security teams can erase sensitive info such as usernames and passwords remotely without having physical access when devices are not needed. ‘Legacy’ or left-over, unused devices can leak data or provide an easy way into an organisation for hackers.

Conclusion

The risks of cybersecurity threats are real. It doesn’t matter if you have a small business or your company is worth billions, there are cybercriminals out there who want to steal from you. If the idea of having someone break into your computer and take all of your data worries you, learn all you can about it. Cybersecurity isn’t something that can be solved overnight but it’s possible for even smaller businesses to get started protecting their digital assets with just a few steps in the right direction. 

Cybersecurity threats from within your business abound, take care out there. It’s not just the ones that you defend against from looking into the distance from your castle walls.