Brian Jackson - Fotolia

Sage data breach underlines insider threat

Organisations need to take insider threats more seriously say security experts, as Sage warns that a data breach using an internal log-in may have compromised employee data at nearly 300 UK firms

This article can also be found in the Premium Editorial Download: Computer Weekly: Get protected: The importance of security

A warning by UK-based accounting software firm Sage to customers in the UK and Ireland of a data breach underlines the importance of addressing the risk of insider threats, say security experts.

According to Sage, there has been some unauthorised access using an internal log-in to the data of a “small number” of UK customers.

The data breach may have compromised the personal details and bank account information of employees of nearly 300 UK companies, according to the BBC.  

Sage reported the breach to the City of London police and the information commissioner’s office (ICO) at the weekend.

The software firm said in a statement that it is working closely with the authorities to investigate the breach and is notifying customers who may be affected.

Sage said it is also giving guidance on measures customers can take to protect their security, but news of the breach has already affected the company’s share price.

Highlighting that the cost of data breaches are seldom confined to remediation and recovery costs, Sage’s share price fell as much as 4.3% in early trading on 15 August 2016.

Sage, which provides business software for accounting and payroll services to firms across 23 countries, has an annual turnover of £1.3bn, and is the only technology stock on the FTSE 100.

Revenge, access rights and password leaks

It is not uncommon for computer systems to be compromised by the company’s own employees, said Ryan O’Leary, vice-president of the threat research centre at WhiteHat Security.

“It’s currently unclear what type of internal log-in was used in this data breach. If it turns out to be a log-in portal accessed only from the internal network, this could be a sign of an inside job,” he said.

Often, said O’Leary, insiders are motivated by revenge for some perceived wrongdoing by their employer.

“Data breaches of this kind highlight the importance of careful consideration around access privileges. Sometimes, the easiest way to mitigate an insider threat is to simply audit who has access to critical and sensitive data,” he said.

Read more about the insider threat

  • Most organisations in Europe rely on outdated security technologies, exposing them to breaches by malicious or hapless insiders, a report reveals.
  • Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked data security threats.
  • This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.

Alternatively, O’Leary said a Sage employee may have had their credentials compromised through a direct attack, where the attacker attempted to steal the credentials of a specific user, or by using compromised credentials from an entirely different data breach.

“The simple truth is that people often use the same username and password combinations on a variety of different sites and system,” he said.

“With the high number of password leak incidents recently, attackers will no doubt be trying to use compromised credentials on a variety of websites, to see if they work. Users must make sure they’re using different passwords on every site.”

Insider threats are almost always preventable if the right people management processes and tools are in place, according to Thomas Fischer, threat researcher and global security advocate at Digital Guardian.

“This is the case even if the employee is a so-called reluctant insider, meaning that, for example, an external party has compromised their account,” he said.

“Sage also claims that it currently unsure how the data was compromised. Again, with the proper investments in IT security, this should be easily controllable and identifiable in a very short period of time.”

Internal threat of data breaches

Eduard Meelhuysen, vice-president for Europe at cloud security firm Netskope, said the data breach at Sage is a powerful reminder that although many businesses look to protect their data from outside threats, the “uncomfortable truth” is that a significant risk often comes from the inside.

“Whether true human error, compromised account details, malicious insiders or a lack of awareness around IT rules and how to help protect the company’s data, the insider element needs to form part of the wider security strategy along with external threats,” he said.

Meelhuysen said it has become more difficult to keep track of employee activity, and which data they can access, especially as enterprise cloud use continues to grow.

“On average there are now 777 cloud apps in use in European organisations, but 94.4% of these apps are not enterprise-ready from a security standpoint. This means that sensitive corporate data may be exposed without staff even realising it,” he said.

However, Meelhuysen said mitigating security risks from a company’s entire cloud app ecosystem and on-premise systems cannot be completed in one fell swoop.

“Wherever possible, organisations should use policy and employee training to coach staff towards safe courses of action and secure cloud apps without affecting productivity. But, surgical visibility and control, as well as robust data analytics, are crucially important as they will help differentiate between employees and bad actors,” he said.

Most companies lack insider threat security

Although insiders continue to be one of the top causes of data breaches, the insider threat is still poorly understood by European organisations, according to a June 2016 report by IDC.

An IDC survey of 400 companies with more than 1,000 employees in the UK, France, Germany, Sweden and the Netherlands revealed that 80% rely on traditional approaches to security that are unable to detect and respond to user activities, which can result in systems being compromised.

Nearly a third of respondents admitted they do not use basic methods of breach detection, and fewer than one in five have any form of security analytics in place.

According to Duncan Brown, research director at IDC’s European security practice, organisations should take an analytics-driven approach to detect threats early and respond effectively.

“This will help companies to deal with threats of all kinds – external attackers, hapless users and malicious insiders,” he said.

Read more on Privacy and data protection

Data Center
Data Management