Carelessness Causes Chaos: Cyber Security – The Insider Threat

These days all organisations are well warned about the importance of cyber security, the headlines are full of news about cyber-attacks from other countries and by criminal gangs. In reality, the biggest cyber security risk to your organisation comes from within. Insider threats can be easily overlooked but there are really simple, practical steps you can take to raise awareness and help prevent costly incidents.

Internal cyber security risks have increased due to covid and the rise of employees working from home, either full time or as part of a hybrid-working pattern. The threats from inside organisation are often not malicious but rather stem from a lack of training or simply from honest mistakes, so what should you be looking out for and what can you do to minimise risk?

Human Error

Human error is not easy to monitor, but it can be the biggest threat to your organisation’s cyber security.

The “new normal” for business has seen a shift towards more and more employees working from home either full or part time and although there are lots of positives to this flexible approach, caution is also required.

Many businesses have purchased IT equipment for their staff to use at home however bulk purchasing equipment can be costly, so some have had to roll out IT equipment in waves with staff having to use personal devices for work related matters. Cyber-criminals are opportunistic and will capitalise on any weakness. Staff are unlikely to have the same standard of anti-virus and firewall protection on their own devices which makes them more vulnerable to breaches. There is also the added risk that a personal device might be accessed by a family member who may not be so vigilant or cautious. If staff are using their own personal devices for work, they need clear guidance on best practice, especially if they are using personal email simultaneously with work email.

In 2023 the Department for Science, Innovation & Technology published its “Cyber security breaches survey”. Of the organisations surveyed, in 2020 66% of the businesses and 68% of the charities had cyber policies which covered remote or mobile working yet in 2023 report only 64% of business and 59% of charities had cyber policies which covered remote or mobile working. This is a surprising statistic because you would expect that the shift towards hybrid working would cause an increase in policies which cover remote and cyber working not the opposite.

Phishing is the most common form of cybercrime and the one to which employees are most likely to be exposed. The first phishing attack was in 1995 against AOL users, now in 2024, Google blocks around 100 million phishing emails daily. Research has shown that 1.4 million phishing sites are created every month so the chances of a phishing email slipping through the net is ever increasing. You should make it as difficult as possible for attackers to access your system, whether it be MFA (multi-factor authentication), anti-spoofing controls or phishing blockers. The door on your physical office has locks and bolts so why shouldn’t your virtual office? Training staff on how to spot phishing emails and regularly reminding them of the risks is time and money well spent. All it takes is one click on a phishing email by a staff member and the damage is done.

Passwords

It may seem like a simple question, but does your organisation have a password policy? Breaching defences through a weak or leaked password is bread and butter to any cybercriminal.

Passwords such as “password” and “pa55word” can be cracked instantly through a brute force attack. Cyber-criminals are sophisticated and will use social engineering to crack your password. Is your pet’s name on social media and do you use it? Or do you use your child’s name? This sort of social engineering is where the cybercriminals will start and will drastically cut down the time it will take them to access data.

Strong passwords alone may not be enough and there has been an increase in high-profile cases which reinforce this view. Recently cloud storage provider Snowflake was hacked, and 165 customers have been affected.  Snowflakes customers include big names like Ticketmaster and Santander and the result of this attack is that millions of people have had their personal data stolen. It is rumoured (the case is still ongoing) that the hackers accessed the system using the username and password of a Snowflake employee. Simple and cost-effective measures such as MFA could make it more difficult for attackers to enter a system. It is also rumoured that some of Snowflake’s customers didn’t use MFA when accessing the cloud storge and that is how the hackers gained access. Full details will undoubtedly be provided once all the investigations have been finalised but initially it would seem that the culprit is an unsecure username and password. Staff need to be reminded regularly to keep these details confidential.

Steps to Take

Firstly, raise awareness amongst your staff about social engineering and how cybercriminals can use the information on professional and social media platforms to target your organisation.

Secondly, ensure that your password policy is clear and forces staff to choose a password which has at least 12 characters. We have all had to create passwords on websites which have insisted that you include capital and lowercase letters, numbers and symbols and password panic sets in. You end up creating a password which you know at the time you will never remember and so end up changing it often but if you use a strong memorable password there will be no need to change it every month. A secure password does not need to be a string of jumbled characters. It could be a memorable phrase for example “sunshine and rainbows” which as a password could be written as “Sun5hine&Rainbow5!” which would take 7 quadrillion years to crack through a brute force attack. If you want to check how secure or how easy your password is to crack, I would highly recommend a visit to https://www.security.org/how-secure-is-my-password/ which may completely change your perception of password security.

Another useful and free to access website is: https://haveibeenpwned.com which allows you to check if your email address and password have been compromised.  It can be a sobering lesson to learn…I was less than pleased to see that my personal email address had been part of 3 data breaches. The biggest lesson here concerns the re-use of passwords. If employees have used the same password for LinkedIn as they use to login to their work account, could that be available on the dark web?

Staff should be reminded that having a weak password is akin to using a rusty old lock on the office front door!

Software Updates

These can be a pain and usually pop up at the worst possible time, but your staff should be informed why these cannot be ignored. You should also ensure that any software patches are applied as soon as possible after they become available. Patches are released when a vulnerability is identified. Vulnerabilities are exploitable and leaving your organisation open by delaying updates or that applying patches in a timely manner, is akin to going on holiday and leaving the office door open and the lights on.

Breaches due to out-of-date software are risks that all staff members can help prevent. Staff must be told not to ignore software pop ups and to install updates as soon as possible. When the NHS was hacked in 2017 with the computer virus known as ‘WannaCry’, all bar NHS Wales really did want to cry. What set NHS Wales apart and which helped mitigate their data lost, was that its IT department remotely installed all software updates and patches across the network whereas NHS England and Scotland left that in the hands of its employees. Be like NHS Wales and ensure that updates and patches can be installed remotely.

Why should you care about all this? Well, the bottom line is that cyber-attacks are costly and are increasing on organisations of all sizes large and small. Cyber-attacks cost UK businesses roughly £27 billion a year and globally the cost is in excess of £8 trillion. The costs come in various forms, this includes fines from the likes of the ICO and the FCA as well as compensation claims from individuals who have been affected by the breach. Not all breaches will cost an organisation millions of pounds, but any breach of security can restrict the ability to operate, damage an organisation’s reputation and destroy your customers and clients’ trust.

Cyber-criminals are intelligent, but they are not Harry Houdini. More often than not they will only be able to gain access to your systems if you let them. Remember these simple tips to help prevent breaches:

• update your policies to take into account the increased risks caused by working from home AND make sure your employees read and understand the policies;
• create and enforce a robust password policy and use the free resources available to educate staff about why passwords are so important;
• encourage safe use of the internet and social media inside and outside of work;
• teach staff not to ignore software updates and preferably have your IT department take responsibility for patching software firm-wide; and
• run tests to make sure what you do have in place is appropriate and effective.

Regardless of the tips and tricks, what it all boils down to is that awareness is the key.

If a criminal was looking to steal valuables, they would skip the house with three deadbolts and an alarm and go straight to the house whose back door has been left open. Securing the cyber workplace is just as important as all the physical security measures your organisation has put in place.

If you have any questions or if you need any help with your cyber security procedures or how to deal with a breach, contact our team of data protection specialists.

Disclaimer 
The matter in this publication is based on our current understanding of the law.  The information provides only an overview of the law in force at the date hereof and has been produced for general information purposes only.  Professional advice should always be sought before taking any action in reliance of the information. Accordingly, Davidson Chalmers Stewart LLP does not take any responsibility for losses incurred by any person through acting or failing to act on the basis of anything contained in this publication.