Research issued today by Forcepoint shows that European workers are a CISOs worst nightmare. The research showed that staff would sell work logins for as little at £200. 29% also admit to sending unauthorised data to a third party. The saying “There are none so blind as those who will not see” also applies to over 43% of employees. Why? Because they: “do not believe their organisation is currently vulnerable to a security threat caused by insiders.”
These are just some of the numbers from the report entitled “Europe’s Insider Threats: What CISOs Need To Know” (some registration details required). The report which runs to just 8 pages holds little back, although most of the detail is in just the first six pages. It was compiled from an independent survey of 4,000 users across four European countries. Unfortunately we were unable to see the underlying data to get a better view of national differences.
What does insider threat cover?
The report asks “what are insider threats?” It’s a good question and the report not only lists four groups outside of employees but also gives a list of what an insider threat might involve. For example:
- Business associates.
- Third parties.
- Individuals who have knowledge of an organisation’s security practices, confidential information or access to protected networks or databases.
This last section also includes friends and families of many staff members. For smaller companies, those friends and family members may have helped setup and install key pieces of software. It is likely that they still have working logins to access data. For larger organisations contractors are often seen as the number one non-employee risk.
However, customers and suppliers with access to key systems are also a major threat. This is not to say that they are going to steal or alter data but that their security failings can affect companies. Very few companies do any due diligence on partners before allowing them to access corporate systems. As we move towards Digital Transformation it requires greater automation and integration of systems. Without proper security controls this is a major insider threat problem.
What actions do insider threats involve?
This is something that few companies can really answer. To most people an insider threat is about stealing information, money or intellectual property. Forcepoint calls out five issues and it is the last two that will cause consternation for many organisations. The five are:
- Information theft
- Monetary theft
- Identity theft
- Data corruption or deletion
- Data altering with the intention of producing inconvenience or false criminal evidence
Most instance of data deletion are accidental or caused by poor maintenance. It is also thought to be more about users deleting files by accident rather than deliberately. However, careful and systematic deletion of key pieces of data can have a debilitating impact on companies. It can cause them to not invoice customers or not pay suppliers. It could also be log files that could prove a fraud has been committed. These are areas where companies need to improve their monitoring of user behaviour and have immutable log systems that cannot be altered or corrupted.
Data corruption tends to be caused by system misconfiguration. However, there are a number of nasty pieces of malware, such as ransomware, that will corrupt or render data useless. On a more mundane level, operations teams still do not validate backups regularly. This means that any corruption or failed backup can put a restore or recovery from an incident at risk. This is not just about cybercrime. Disaster recovery and business continuity planning have been a challenge for decades. For many organisations they are still not validated or working. This is a major failure of governance and not just about damage to data.
How bad does Forcepoint believe the problem is?
The answer is very bad. There is a significant awareness gap in terms of employee awareness. Part of this can be explained by message fatigue. Tell people the same message enough times and they stop listening. It can otherwise be seen as the Chicken Little, the sky is falling problem. There has to be a better way to engage with end users. It is not just about technology but also about better use of soft skills and awareness training.
Soft skills include things such as gamification. Use fake spear phishing attacks against departments and then show them what they missed. Rank departments against each other and find a way to reward those who do share threat data. Create internal pages where newly discovered attacks are posted. This will enable users to self learn rather than become resistant to too much technical training.
It is also important that users realise what the impact of a breach is. In the survey 32% said: “they were either unaware or unsure about breach consequences.” Almost a quarter had no idea of the cost of a breach. The European General Data Protection Regulation (GDPR) comes into force in 2018. At that point companies could find themselves being subjected to fines of 4% of global turnover. With many business running on smaller and smaller margins this is a business ending risk. If employees believe that their jobs and pensions are at risk, it may make them more aware of what is going on.
There is much more to the survey than just these points. Forcepoint does look at some findings on a country by country basis. This is good news as it helps to see where the bigger issues are. For pan-European organisations, this is also a chance to see how their internal training and processes stack up.
Ultimately this is about dealing with an issue that many CISOs have little visibility into. It could be argued that the problem is as much down to their security teams as it is them. For example, is it reasonable to assume that in a company of 10,000 employee’s the CISO knows what everyone is up to? No it isn’t but when it does go wrong there will be claims that they should know. This is where proper systems and processes are required to improve awareness and training.
Will any of this stop the CISO from having nightmares? If the CISO knows anything about the realism of the cybersecurity threat, no it won’t. For many, however, it may just allow the occasional good night of sleep.