Carelessness Causes Chaos: The Insider Threat
Date: 07/04/2022 | Data Protection & Information Law
I recently achieved accreditation as a Certified Specialist in Cyber Security from the Law Society of Scotland. My research into this topic has really opened my eyes to aspects of cyber security which I hadn’t previously considered.
The most significant thing I learned was that the biggest threat to any business is the insider threat.
In this article I will look at insider threats that can be easily overlooked and share some really simple practical tips which can not only raise awareness but also help prevent incidents.
You wouldn’t allow your staff to leave the office at the close of business without locking the door and setting the alarm, so why leave the cyber workplace unsecure?
Human error is not easy to monitor but it is the biggest risk to your organisation. A risk that has only increased due to the Covid-19 pandemic. The Department for Digital, Culture, Media and Sport published its sixth annual Cyber Security Breaches Survey which found that only 23% of businesses have cyber security policies in place which cover working from home. The “new normal” of business is still being shaped but more and more businesses are shifting toward hybrid working or employees working from home on a permanent basis. This shift will require businesses to review and revise their monitoring practices. It will also require employees to be vigilant.
Cyber-criminals are opportunistic and will capitalise on any weakness. Staff are unlikely to have the same standard of anti-virus and firewall protection on their own devices which makes them more vulnerable to breaches. There is also the added risk that a personal device might be accessed by a family member who may not be so vigilant or cautious. If your staff are using their own personal devices for work, they need guidance, especially if they are using personal email simultaneously with work email.
Gmail blocks approximately 18 million phishing emails a day and Google blocks approximately 240 million spam emails a day and these are just the blocked attacks. All a cyber-criminal needs is for one email to slip through the net. Research has shown that 9 out of 10 viruses which infect a system are traced back to an email attachment. Staff will know the process for securing the office when they are the last person out and you expect that to be followed every night. You need the same type of process for securing the cyber workplace and it needs to be implemented and followed.
It may seem like a simple question, but does your organisation have a password policy? Breaching an organisation through a weak or leaked password is bread and butter to any cyber-criminal.
Passwords such as “password” and “pa55word” can be cracked instantly through a brute force attack. Cyber-criminals are sophisticated and use social engineering to crack your password. Is your pet’s name on social media and do you use it? Or do you use your child’s name? This sort of social engineering is where the cyber-criminals will start and will drastically cut down the time it will take them to access your data.
Steps to Take
Firstly, raise awareness amongst your staff about social engineering and how cyber criminals use the information on professional and social media platforms to target you – see that tweet from the airport!
Secondly, ensure that your password policy is clear and forces staff to choose a password which has at least 12 characters. We have all had to create passwords on websites which have insisted that you include capital and lower case letters, numbers and symbols and password panic sets in. You end up creating a password which you know at the time you will never remember. If you use a strong password there will be no need to change it every month either.
A secure password does not need to be a string of immemorable characters. It could be a memorable phrase for example “sunshine and rainbows” which as a password could be written as “Sun5hine&Rainbow5!” which would take 7 quadrillion years to crack through a brute force attack. If you want to check how secure or how easy your password is to crack, I would highly recommend a visit to https://www.security.org/how-secure-is-my-password/ which completely changed my perception of passwords.
Another useful and free to access website is: https://haveibeenpwned.com which allows you to check if your email address and password has been compromised. It can be a sobering lesson to learn…I was less than pleased to see that my personal email address had been part of 3 data breaches. The biggest lesson here concerns the re-use of passwords. If you have used the same password for LinkedIn as you use to login to your work account, could that be available on the dark web?
A weak password is akin to using a rusty old lock on your office front door!
I appreciate that these can be a pain and I usually find that they pop up at the worst possible time, but your staff should be informed these cannot be ignored, and why. Upgrading hardware, software and systems has become more difficult during the pandemic. Only 88% of businesses have reported having up-to-date malware protection and only 78% have set up network firewalls. In addition, 32% of large businesses have reported the use of unsupported versions of Windows which poses a significant security risk. This is akin to going on holiday and leaving your office door open and the lights on.
Breaches due to out of date software are risks that all staff members can help prevent. Staff must be told not to ignore software pop ups and to install updates as soon as possible. When the NHS was hacked in 2017 with the computer virus known as ‘WannaCry’, all bar NHS Wales really did want to cry. What set NHS Wales apart and which helped mitigate the data lost, was that its IT department remotely installed all software updates and patches across the network whereas NHS England and Scotland left that in the hands of its employees. Be NHS Wales and ensure that updates and patches can be installed remotely.
Consequences for Your Business
But why should you care? Well, the bottom line is that cyber-attacks are costly. Cyber-attacks cost UK businesses roughly £34 billion a year with approximately £18 billion being attributed to the loss of revenue and data and approximately £16 billion attributed to additional IT spending. Regulatory fines increased with the introduction of the GDPR and the ICO has been flexing its muscles. Group claims following data breaches are also on the increase. Not all breaches will cost your organisation millions of pounds, but any breach of security damages your organisation’s reputation and the trust that your customers and clients have in you to keep their information safe and secure.
Cyber-criminals are intelligent but they are not Harry Houdini. More often than not they will only be able to gain access to your systems if you let them. Thankfully, there are simple tips which can prevent breaches:
- update your policies to take into account the increased risks caused by working from home;
- create and enforce a robust password policy and use the free resources available to educate staff about why passwords are so important;
- encourage safe use of the internet and social media inside and outside of work; and
- teach staff not to ignore software updates and preferably have your IT department take responsibility for patching software firm-wide.
Regardless of the tips and tricks, what it all boils down to is that awareness is the key.
If a criminal was looking to steal property, they would skip the house with three deadbolts and an alarm and go straight to the house whose back door has been left open. Securing the cyber workplace is just as important as any other physical security measure your organisation has put in place.
If you have any questions or if you need any help with your cyber security procedures or how to deal with a breach, contact our team of data protection specialists.