As Halloween approaches, everything takes on a macabre feel, from shops stocking up with treats and tricks to the latest horror film in the cinema to classic films on TV. October becomes the scariest month of the year for many. October is also CyberSecurity Awareness Month. It aims to highlight organisations’ fears about the cybersecurity monsters that operate all year round.
Creatures of the night are rampant on Halloween, and cybersecurity boasts its own monsters. Maybe not the type that wants your blood, but they do want the next best thing: your data and, very often, your identity. These cybercriminals — or in the spirit of Halloween, cyber monsters — are actively looking for victims. Cyber monsters operate day and night. Traversing the Internet like witches on brooms, they can reach almost anywhere on earth.
Cyber vampires: they can be anyone, anywhere
According to Verizon’s 2022 Data Breach Investigation report, 82% of data breaches involve the human element. The human element includes but is not limited to: errors, policy violations, mistaken clicks on a malware link in email, and intentional acts. Security teams spend considerable time analysing and classifying the cyber monsters that comprise the human element.
Several types of cyber monsters are looking to feed on businesses. Security teams need to understand their tactics, techniques, and processes. Threat intelligence and threat modeling are commonly used to understand and protect against cyber vampires.
Which cyber monster is the scariest of all?
- A leading contender for scariest cyber monster: organised crime. Organised crime is like a pack of werewolves. They look like a legitimate and innocuous business, but are actually corporate-style in their approach and highly skilled – they even provide benefits to their workers. These monsters are motivated by money. They typically employ ransomware, a sinister curse that steals data by encrypting it and keeping it encrypted until the victim pays a ransom. Ransomware can severely cripple business and government agency operations.
- Also to be feared: well-funded, highly sophisticated state-actors. State-actors are the cyber monster version of vampire — real blood suckers. They focus on intelligence gathering but can also launch devastating cyber warfare against critical infrastructure such as energy and water utilities. Their targets are generally governments. State-actors adopt advanced persistent threats (ATPs) to surreptitiously attack their victims. ATPs are hard to detect because of their ability to evade security controls.
- The witches of cyber monsters: hacktivists. They are obscure and can transform themselves to deceive victims into trusting them and often associate themselves with legitimate causes. Hacktivist witches deploy a variety of tactics to disrupt and discredit businesses and government agencies. They aren’t motivated by money or intelligence-gathering. Instead, they’re driven by political, social, and religious fanaticism, making them the stuff of nightmares.
- The Frankenstein of the monster gang: script-kiddies: Script-kiddies are clumsy — not pretty — and are composed of many miscellaneous parts slapped together to attack businesses. They are the amateurs in the dark world of cyber monsters. They use businesses as a playground to polish their hacking skills and gain status with peers. With tool kits, such as Metasploit, they can access business resources and wreak havoc. Like true monsters, they may be oafish, but they cause a lot of damage.
True horror: insiders
These cyber monsters are horrifying enough to keep the best security teams up at night. But for a real Halloween fright — if you wanna see something really scary — look no further than insiders. Insiders are the cyber monsters security teams should be the most anxious about. Insiders are like poltergeists on Halloween. They are difficult to see, full of surprises, and full of disruptive antics.
Insiders are typically employees, contractors, and partners — those with valid access to business resources. They present the quintessential security challenge: how to provide access, while also doing the monitoring required to detect harmful behaviours, all without interfering with legitimate processes.
Insiders can be particularly monstrous for two reasons. First, they can intentionally or unintentionally cause a cybersecurity incident. Secondly, insiders can be associated with powerful, external threats such as hacktivists — merging internal and external threats and creating a nightmare scenario for businesses.
Ponemon’s 2022 Cost of Insider Threats Global Report is not for the faint-hearted. It notes that malicious insiders caused 26% of the security incidents studied, each with an average cost of $648,062. It also reports that 56% of tracked security incidents were caused by negligent insiders, with an average per-incident cost of $484,931. Frightening to believe these businesses collectively had more to fear from trusted employees and partners than external cyber monsters.
Protections against the insider threat
Security teams must focus on identifying insiders who intentionally seek to divulge corporate information or disrupt business operations. The task is made more difficult because insiders may have role-appropriate privileges. Advanced identification approaches are necessary. For example, several tracking indicators and techniques may be used to identify malicious insiders and activity. They include:
- Analyse user behaviour patterns. This generally refers to how insiders access information and business resources. Analysis may include the type of device used, journey/steps to access the resource, time of day, and errors (e.g., passwords entered incorrectly.)
- Create decoy systems (HoneyPots). Insiders may use applications and data to tempt an unsuspecting insider and then trigger a log entry that can identify a potential risk.
- Leverage user profiling. Some insiders, because of their status, may be actively monitored or have their privileges restricted. They may include employees subject to disciplinary action and termination, those with access to highly sensitive data, or those in senior positions of authority. Profile the new category of insiders termed quiet quitters because of the potential risks they pose.
Developing zero-trust architectures and least-privilege access policies. By using layered security and other techniques, security teams can limit the information insiders are permitted to access.
Insiders who are negligent but not malicious can also pose extreme security risks. For example, a simple misconfiguration of public cloud services can be exploited to facilitate costly data breaches. Negligent insiders are more difficult to identify because their behaviours and privileges are not flagged by traditional security tools.
What business must do to protect themselves
Email security, which is closely related to phishing and ransomware, receives a lot of emphasis from security teams. According to IBM’s 2022 Cost of a Breach Report, business email compromise and phishing incidents represent the highest total breach cost — $9.6 million — and the highest-frequency attack vector (21%). This is why businesses are increasing their investments in employee awareness and education. They are also bringing disciplinary action against those who violate corporate security guidelines — especially repeat offenders. Businesses simply can’t risk costly mistakes.
Because of the prominence humans play in cybersecurity, implementation of training and awareness programmes is highly valued by cyber-insurance assessors and is the second-most important factor next to cloud security. Businesses seeking to transfer cyber risk to an insurance underwriter will find that they must comply with cybersecurity training programmes.
Perhaps the greatest concern posed by insiders isn’t from financial costs or harm to a business’s reputation but from the disruption of its relationships with employees and partners. Finding talent is proving to be a real challenge in today’s highly competitive job market.
Businesses may not be able to hire as quickly or easily as in the past, because they will be compelled to perform more stringent background checks and implement programmes to monitor employee activity. Though disciplinary action is needed to give security policies teeth, it may impact morale by eroding trust. However, cyber monsters are all too real, and businesses need more than wreaths of garlic or fonts of holy water to mitigate the threat they create.
Rimini Street, Inc. (Nasdaq: RMNI) is a global provider of enterprise software products and services, the leading third-party support provider for Oracle and SAP software products and a Salesforce partner. The Company offers premium, ultra-responsive and integrated application management and support services that enable enterprise software licensees to save significant costs, free up resources for innovation and achieve better business outcomes. To date, over 4,800 Fortune 500, Fortune Global 100, midmarket, public sector and other organizations from a broad range of industries have relied on Rimini Street as their trusted application enterprise software products and services provider.
