Did you know that on an average day, upwards of 50% of your most sensitive data leaves your domain? Think about it, every evening, your employees go home along with not only what is in their head, but also what is on their computer. While some companies are still blissfully unaware of this, others are painfully aware and have taken measures to control the “insider threat”. Best practice is to not only to thwart attacks that are perpetrated by rogue employees, but also identify and address any potential threats before the damage is done.
ClickToTweet: Trick or Data Breach- Insiders & Insider Accounts critical in #DataBreach incidents http://bit.ly/1PawEKT pic.twitter.com/yRiQwQsyRs
While rogue employees are able to inflict the most damage on an organization due to their access to information, most employees are honest and hardworking. They would never knowingly put an organization at risk by misusing or stealing confidential information. Having said that, many employees provide full access to cybercriminals without them even knowing it.
If you have you gotten the now famous email from a Nigerian Prince looking to transfers tens of millions of dollars out of his country and will gladly share this windfall with you, a social engineering attempt was launched against you. Most individuals recognize this as a scam built to do nothing more than rope the unwitting victim into divulging information or transferring funds. Social engineering has become significantly more sophisticated. Each attempt is engineered to fool an employees into taking an action that enables the hacker to get inside the network and operate as an insider without the knowledge of the employee; and in many cases without the knowledge of the organization. The “tricks” that cyber criminals launch on unsuspecting employees may be calling the employee posing as someone from IT and asking the user for their password because “maintenance” needs to be performed. Studies have shown that more often than not, an employee will easily give up their password without question. More sophisticated social engineering techniques include sending out a link that entices an employee to click. Doing so launches malware into the system. Spear phishing is even more sophisticated. A hacker will research a company and its employees very carefully and target employees based on the company, their role and the access they may have. If an employee acts on the “trick”, a very customized attack is launched to gain access to the internal network and have unfettered access to harvest the organizations precious data. In many of these cases, the attacker can operate as an insider for days, weeks or even months without detection. It does not matter whether it is a corporation, organization or government agency; each have been breached in this manner and all are susceptible to these attacks in the future.
The key to successfully waging a strong defense against the insider threat due to social engineering is twofold. Perimeter defense is not designed to protect against rogue employees or social engineering that operates insider the network. Maintaining a strong and granular access control policy ensures that employees only have access to the information that is required for them to do their job. In a financial services organization, this may mean that a broker has very different access than a research analyst (aka Chinese Walls). In healthcare, doctors have different access than the dietician (HIPAA). Creating these barriers helps with many compliance regulations, but also containerizes what an employee can do or see. Much like flood doors on a ship can contain a hull breach by isolating the damage, robust access control policy can minimize breach damage when it comes to data security. But the story does not end there…
To stop the hackers from gaining access to your internal environment, it is crucial to not only deploy the right security technology, but also provide employees with the right knowledge base to identify potential social engineering techniques that may be used against them. With Halloween upon us, through education, training and trust, we can ensure that employees can help secure the data and stop the “trick or breach” techniques that expose all of us to unacceptable risk.