Welcome to part two of our blog series, Cybersecurity as an Iceberg. In part one of this blog series, we discussed two unaddressed risk in cybersecurity: Third-Party Risks and Data Privacy Law Violation. The next unaddressed cybersecurity risks are Insider Threats, Lack of Security Awareness Training, and Missing Policies.
Insider threats are risks that come from within an organization, where the user has access or understanding of the organization’s structure and information. The harm done by an insider includes malicious, complacent, or unintentional acts that negatively impact the organization’s network and information.
Insider threats is a high threat for all corporations. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all cybersecurity attacks were done by insiders. Three-fourths of these attacks were done with malicious intent. The other one-quarter of the insider cybersecurity threats were accidental acts by the insider.
According to the Cybersecurity & Infrastructure Security Agency (CISA), insider threats include espionage, terrorism, unauthorized disclosure of information, corruption, sabotage, etc. Insider threats occur both intentionally and unintentionally. For example, employees might visit malicious websites or use a compromised USB or other external drive. There are also malicious insiders, such as angry employees or employees persuaded by outside influences.
In Crowd Search Partner’s 2018 Insider Threat Report, risk factors that enable insider threats include giving users excessive access privileges (37%), increasing devices with access to sensitive data (36%), and increasing the complexity of information technology (35%). Accidental insiders primarily occur due to phishing attempts (67%), weak or reused passwords (56%), unlocked devices (44%), bad password sharing practices (44%), and insecure Wi-Fi networks (32%).
As both malicious and accidental insider threats negatively are prevalent, implement policies and practices to minimize the damage to your organization from the insider threats.
How can you protect your company from malicious insider threats?
Kate Randal, an FBI cybersecurity analyst, discussed malicious internal cybersecurity threats. In her presentation, she mentioned three spheres to look in to when trying to identify a cybercriminal. To determine their risk level, there must be a combination of red flags in each sphere. These three spheres are: Cyber, Contextual, and Psychosocial.
The first sphere, cyber, can be found by looking into the system to determine what the insider is looking at and what times they log on. Red flags in the first sphere includes logging in after hours or willingly taking overtime.
Contextual information considers the employee’s background such as their job role, financial consideration, foreign access, etc. This information is collected by background checks, security checks, and interviews.
Psychosocial analyzes the employees’ behavior and interactions. With workplace disgruntlement, psychosocial analysis determines who among the employees are more likely to act upon anger or unhappiness in the workplace.
However, individual red flags are not indicative of whether an employee is a malicious insider. To identify a malicious insider, there must be a combination of red flags from each sphere. Based on these three spheres, you can determine who will most likely be influenced and used to infiltrate your organization information.
Therefore, it is important to be cautious in determining the security clearance of your employees, which is also a good way to protect your company from unintentional insider cybersecurity threats.
How can you protect your company from accidental insider threats?
Again, limit nonessential employees’ access to sensitive data and information. This prevents data leaks from the lower end of the employee ladder. Encrypt your information to make your information hidden and/or indecipherable when a cyber attacker tries to access the information on a non-company computer.
To protect your company from accidental insider threats, remember that knowledge is power. Conduct a cybersecurity awareness training with your employees. Security awareness training mitigates the risk of accidental insider threats by teaching your employees cybersecurity safety practices. Which leads us to our next unaddressed threat, the lack of security awareness training in companies.
Lack of Security Awareness Training
Cybersecurity threats many companies fail to pay attention to is their security awareness training. Cybersecurity awareness is crucial because it shows employees the value of the information they access. Additionally, any employees are unaware of how to address a cybersecurity problem when they see one. By providing cybersecurity awareness training, the company effectively teaches their employees regarding the importance of the data they are using.
Implementing cybersecurity training does not take much time or effort. The CISA has many free videos and guidelines that can boost your company’s security awareness for insider threats. For cybersecurity threats in general, NIST has a page with free online content that explains the importance of cybersecurity.
Cybersecurity training informs employees how to recognize and approach a cybersecurity problem they encounter. Being able to recognize the cybersecurity threat helps the company resolve the problem and thus minimize the risks of data leaks or other cyberattacks.
A cybersecurity policy provides a clear guideline on transferring company data, accessing private systems, and using company-issued devices. It also ensures your organization has sufficient security measures – whether it is a preventative or response measure to a cybersecurity threat.
Oftentimes, companies miss a few crucial policies that prevent basic cybersecurity threats. Equifax experienced a data breach because they failed to follow their policies and renew their third-party public key certificate. Without the certificate, Equifax’s internal network no longer re-encrypted its data to detect a data breach in the system. As a result, cyber attackers stole thousands of customer information from Equifax, resulting in financial loss and loss of consumer trust.
As seen in Equifax’s situation, if they had a well-constructed policy that required the company to renew their public key certificate, then Equifax would have detected the data breach sooner. The public key certificate would have helped security analysts detect compromises on the system, which would have minimized the damage on Equifax’s data.
Additionally, cybersecurity policies are necessary because they provide an overall direction for your organization’s approach to cybersecurity threats and risks. Therefore, your policies need to be detailed to ensure the effect of the policy.
For example, implement policies on your employees’ level is having a password policy – such as multi-factor authentication (MFA) – or setting requirements to access sensitive data. Furthermore, having detailed cybersecurity policies will reduce the time security analysts spend on identifying the problem. Concrete policies allow analysts to avoid making inferences or assumptions when determining cyber safety of a specific practice.
Importance of Cybersecurity
In this blog, we have covered the importance of insider threats, cybersecurity and awareness training, and missing policies. In the end, many of the topics lead back to cybersecurity awareness, where knowledge is power. Knowledge of cyber threats and preventative measures keeps you and your company safe from cyber attackers.
To learn more about other hidden cybersecurity risks, look forward to part 3 of our blog series, Cybersecurity as an Iceberg, to learn about ineffective security controls, missing security controls, and unaddressed asset vulnerabilities.