No less an authority than colourful cybersecurity pioneer John McAfee firmly believes that the now infamous hack of the US-based Ashley Madison sex-cheating website was an inside job.
Statistically, this is extremely likely to be the case for most cyber security breaches. KCS’ own research shows that 80 per cent of corporate cybercrimes can be traced to staff, and this figure is increasing. This can be the result of deliberate cyber crime or it could be that the staff member has been careless with their personal log-in details.
But whether a security breach was malevolent or not makes little difference once an organised criminal gang (OCG) exploits it to the full. Once inside an IT system, OCGs can easily run ransomware across the target organisation’s entire communications network.
By encrypting the target company’s most sensitive data while withholding the software key needed for decryption, the OCG is able to demand that the target organisation pays a massive ransom to retrieve its data. Should the company refuse or be slow in paying the ransom demand, the OCG may find its most sensitive customer data has been up for sale on the Dark Web, the Internet unregulated and often illegal mirror economy.
Ransomware is available on the Dark Web for as little as $500. Some illegal software developers even offer 24/7 telephone support for hackers with weak technical skills. It could, therefore, be a mistake to think that any member of staff except an IT wizard would be capable of stealing corporate data.
In an era where most organisations run on electronic communications, it is not only executives and IT engineers who hold the keys to the IT kingdom. Any member of staff with Internet access at work is a potential breach. Many chief executives pride themselves on being a good judge of character, but few outside small start-up organisations would claim to be able to vet their entire staff with a sideways glance. In many organisations, this leaves thousands of members of staff at all levels appearing to be potential security leaks.
It is, therefore, essential that organisations in all sectors of industry develop a cyber-security policy that no longer only reinforces the company’s outer firewall IT defences but also tackles the greater danger – the insider threat. It is, however, essential that this be done with instigating a witch hunt or developing a corporate paranoia where every member of staff feels constantly under suspicion. Ironically, it is precisely this type of paranoid, stressful work environment which new research reveals is the most fertile breeding ground for home-grown cyber criminals.
According to the US Department of Homeland Security: “An inside threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorised access to an organisation’s network, system or data and intentionally misused that access to negatively affect the confidentiality, integrity or availability of the organisation’s information or information systems.”
Homeland Security believes that insider threats involve not only installing ransomware but also include sabotage, theft, espionage, fraud and competitive advantage. KCS’ case files also hold examples of commercial companies being used by foreign powers as a gateway to defence contractors in addition to hackers stealing data in order to disguise as legitimate market research – a process know as ‘data laundering’.
To defend against the insider threat, organisations need to ensure their security software is developed to deal with the growing insider threat. For example, KCS Sentinel ZoneFox monitors each and every user interaction with critical data stored on the firm’s computer systems. By monitoring each and every user interaction with data, Sentinel can inform organisations of any behaviour occurring on this systems that may be indicative of malicious or non-compliant behaviour.
However, in many cases, companies often remain blissfully unaware when data is copied or stolen for malicious purposes. Sometimes, confidential data such as product designs and sensitive customer information are available online via the Dark Web, the internet’s largely anonymous mirror economy where it is possible to buy everything from stolen data to illegal weapons.
Companies should use third-party advisers with deeply embedded sources on the Dark Web so that they can be alerted if some of their data is being offered for sale. By monitoring the online ‘chatter’ of criminals on the Dark Web, it is also possible to have advanced early warnings of a likely cyber attack.
In an age where executive CVs often describe careers with numerous organisations spread over several continents, it is crucial that incoming staff be thoroughly vetted. This is best achieved by discreet non-conventional due diligence (DNCDD) in order to identify weaknesses or anomalies in someone’s background. Far too many organisations are failing to validate CVs. In 2015, it is almost impossible for any member of staff, not only executives, not to leave a digital trail. While full DNCDD should be deployed in the case of incoming executives, it is now possible to carry out fairly extensive online background of all members of staff to highlight any warning signals.
This can be used to augment the kind of personality profiling that Homeland Security believes can be used to identify potential bad apples. In the absence of online DNCDD, personality profiling can be counter-productive, generating a work culture of paranoia and suspicion.
However, if third-party vetting is carried out discreetly in conjunction with the other forms of monitoring described above, companies can be in a position to trust their staff, while knowing they will be instantly alerted to any potential wrong doing.
Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.