RomanenkoAlexey - Fotolia
Organisations typically overlook inside threats when considering cyber security risks, warns Carl Leonard, principal security analyst at Forcepoint.
“Many organisations are still neglecting the danger posed by the humans working inside those organisations, despite the fact this has been recognised as one of the root causes of data breaches for many years,” he told Computer Weekly.
There is nothing new in this, said Leonard, but despite that, many cyber security programmes still take a very narrow view of threats and do not address insider threats, failing as a consequence.
“Insider threats include a range of things from unintentional errors and compromised credentials all the way through malicious insiders intentionally taking data outside of the their organisation, which is all causing problems, but many organisations still have not got their head around that yet,” he said.
One of the main reasons for this, said Leonard, is that most organisations’ cyber defence strategies focus on external attackers and threats – especially malware – rather than the broader spectrum of risks they actually face.
“They are used to dealing with external attackers, malware, manipulated documents coming into their environment and dealing with security issues on endpoints, but have still got blinkers on when it comes to insider threats.
“As a result, we need a mindset shift to focus on the fact the machines and credentials that are being compromised by attackers belong to individual users,” he said.
Read more about the insider threat
- The cyber threats lurking within every company.
- As survey of 500 cyber security professionals offers insight into the state of insider threats and solutions to prevent them.
- Malicious employees are usually the focus of insider threat protection efforts, but are often overlooked data security threats.
- Analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.
By looking at what users are doing, Leonard said organisations are in a better position to identify anomalous or potentially risky activity.
“If a user starts to share data, organisations need to know about it so that they can look at intent to see if the user is transferring data to work from home or whether this behaviour is linked to malicious activity,” he said.
Getting visibility of user behaviour is the first important step, said Leonard, because it then enables organisations to establish control and take a broader view of cyber risk.
“Gaining greater control is important, particularly in the light of new data protection regulations, like the General Data Protection Regulation [GDPR], the fact that organisations are increasingly using cloud-based applications and services, and that a growing proportion of the workforce is working remotely,” he said.
Now that the GDPR compliance deadline has passed, Leonard said it has never been more important for organisations to ensure that any personally identifiable information (PII) is secure.
Leonard believes the GDPR will help drive a broader view of cyber risk in organisations because it will force them to review their security capabilities to ensure they have an appropriate level of security for protecting personal data.
Incident response capability
The GDPR also highlights the importance of having a good incident response capability, he said, because of the requirement for organisations to identify breaches and report them within 72 hours of becoming aware that a breach has occurred.
“Once again, this underlines the need for organisations to have visibility of the damage that a compromised credential could do to the business so that they are in a position to report the nature and extent of the breach in a timely fashion to a data protection authority.”
Although, in most sectors, the internal threat is not as great as external threats, Leonard said this should not be a reason for organisations to overlook the risk entirely.
“The proportion of breaches ascribed to internal threats varies from survey to survey, with some data indicating that insider threats can be linked to around two-thirds of breaches, but even if you take 25% as being the lowest common denominator, this is still a significant risk,” he said.
“Even the risk of one in four is one too many and represents a considerable blind spot in terms of potential breaches of the GDPR, and any organisation that does nothing to address this unacceptable risk is skating on very thin ice,” said Leonard.
Insider risk “preventable”
Insider risk, just like other common roots of data breaches such as poor patching, said Leonard, is not “rocket science” and is “entirely preventable” if the appropriate actions are taken.
“Organisations should look at a broad range of breach reports and ensure they learn from the common mistakes, failing and oversights highlighted by real world breaches,” he said.
Leonard is to discuss this topic in more detail at Infosecurity Europe 2018 in London on 6 June, in his presentation entitled: One year after WannaCry: Has anything changed? A root cause analysis of data breaches.