Every single company and organisation around the world faces some sort of insider threat. It’s often assumed the term refers to corporate spies, but it’s just as likely to be a disgruntled current or ex-employee with access to the company servers.
Team members might have files on their home computers either innocently or maliciously, potentially putting them in the hands of criminals. Cybersecurity is primarily considered more systems-based, rather than addressing the people side of things.
“This is where most companies come unstuck,” says Alex Bomberg, group CEO of Intelligent Protection International Ltd and International Intelligence Ltd, a group of companies that provide security consulting for organisations around the world. “Regardless of the size of your company, if you've not got the right policies and procedures in place for handling data, it causes all sorts of problems. We've been involved historically in a government data breach inquiry, and delegated access was a massive issue for emails. Insider threat doesn't necessarily need to be malicious.”
BYOD data risks
The increasing prevalence of Bring Your Own Device (BYOD) policies create new risks for businesses. It can be appealing, especially for smaller companies, but when someone leaves, it can be difficult to ensure that company data is scrubbed from their devices.
“It all comes down to really good risk management,” says Bomberg. “Managing the risk, especially with espionage, is not necessarily where you think the risks might be. You've got to look at the whole people policies and procedures side of things with cybersecurity. You've got to look at who needs access to what. We've worked in organisations where they feel everybody should have access to everything. That's not necessarily a good strategy.”
You can have the best IT system in the world, but if you're failing on people management and internal risk, you’re vulnerable, Bomberg explains. Often companies have policies that refer to other policies that are out of date or no longer exist.
“With a lot of small and medium companies in particular, staff often don't feel they have a single point of contact for security issues, and they're not briefed on what to do. So let's say somebody they meet in a pub is asking them too many questions. How do they respond? Are they aware that they could be being targeted? And if they do realise it, do they have somebody to report it to?”
Multiple access points
Sometimes, insider threats can come from sleeper agents inside your company, who are likely to be looking to take R&D or customer data. This is most common in larger organisations. But it can also be the aforementioned disgruntled employee, or a careless employee working at home. Bomberg says criminals can find information to get into a company by simply rummaging through the bins of employees or waiting for an opportune moment, say if an employee leaves their laptop unattended in an easily accessible location.
In many instances of insider threat, the target is intellectual property, which can net a tidy sum for the thieves. “Most small and medium-sized companies don't have the funds behind them to take somebody to court. They usually get settled out of court, when it’s already too late.”
When insider threat happens, whether it's malicious or not, companies really struggle, he explains. One of the unique impacts of internal threats are their effects on morale. “People will know that a colleague has caused problems. If it becomes public, you often get people jumping ship, because they don't want to work for a company that has had security issues.”
Responding to threats
Insider threat is potentially everywhere, says Bomberg, but combatting it is actually not as expensive as most people think. Organisations should create a ‘capable guardian’, which could be everything from alarm systems to on site security teams. Part of that should be a company culture that encourages people to question things.
Bomberg cites a common example that accountancy firms or finance teams might deal with: payment diversion fraud. Well-designed attacks will break into servers and use the company email system against it. They often deploy social engineering techniques – using specific details gleaned from sitting within the system, acting either very assertive or naive, creating a sense of urgency – so that people will respond without questioning it.
“When people receive an urgent email from the MD or CFO they often fail to question it - it’s human nature. They don't question it, even though to check it, they just need to pick up the phone.”
A lot of preventative measures are as simple as that example, Bomberg explains. Companies should create gates in procedures, such as having more than one person sign off a payment or having additional checks on any documents. Keeping up to date with things like who has delegated access to email accounts.
“It's understanding how the company works,” says Bomberg. “Before you write the policies, you need to know what people do in their roles and build really good policies around it. They do not need to be complicated. People need to be able to understand them. They need to be absolutely workable. You make it too complicated and people are not going to do it. And make sure all the right stakeholders are involved in developing the policies so every relevant department is on the same page.”
The implications of not getting this right are massive, he says. “You don’t want to end up in court, having lost one of your clients’ data. It all boils down to the basics of data management and standard risk management and managing the risk of losing that data one way or another.”
Cybercrime Awareness Month 2022
ICAEW marks the global Cyber Security Awareness month with a series of webinars, videos, podcast, a panel discussion and other resources addressing cybercrime and how to protect your business. We will focus on the latest trend as well as supply chain risks and concerns.