It’s not a newsflash that insider threats are among the biggest concerns that businesses have, in the era of distributed networks, cloud services and enterprise mobility. Those fears appear to be justly founded: FBI and the Department of Homeland Security are warning of a heightened danger of insider threats to cybersecurity, stemming from disgruntled and/or former employees.
“The FBI and DHS assess that disgruntled and former employees pose a significant cyber-threat to US businesses due to their authorized access to sensitive information and the networks businesses rely on,” the Feds said in an advisory.
In fact, there have been several significant FBI investigations so far in which individuals “used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts and gain a competitive edge at a new company.” Victim businesses have incurred significant costs as well, ranging from $5,000 to $3 million.
Perhaps most interestingly, the theft of proprietary information in many of these incidents was facilitated through the use of cloud storage websites, like Dropbox, and personal email accounts.
"Many businesses suffer from a false sense of security when it comes to popular 'box' storage services,” Ryan Kalember, chief product officer at WatchDox, told Infosecuity. “The fact that disgruntled employees are using these services to access sensitive company data is a prime example of the vulnerabilities inherent in these freemium services like Box and Dropbox. The content stored in them is only as secure as the people accessing it. Additionally, these services create a lot of confusion around who owns what, especially when an employee leaves."
In many cases too, terminated employees had continued access to the computer networks through the installation of unauthorized remote desktop protocol software that had been installed prior to their leaving the company.
There have also been a rash of more hacker-esque attacks; multiple incidents were reported in which disgruntled or former employees attempted to extort their employer for financial gain by modifying and restricting access to company websites, disabling content management system functions and conducting distributed denial of service (DDoS) attacks.
Businesses reported various factors into their cost estimates, to include: calculating the value of stolen data, information technology (IT) services, the establishment of network countermeasures, legal fees, loss of revenue and/or customers and the purchase of credit-monitoring services for employees and customers affected by a data breach.
As far as mitigation, “technology controls, while necessary and important, cannot guard against this often-overlooked reality in today’s cyber-environment: upwards of 70% of all organizational data theft is the result of the deliberate or unintentional behavior of privileged insiders,” Craig Guiliano, senior threat specialist at TSC Advantage, told Infosecurity. “It’s therefore critical that businesses think beyond popular data security sensors and address their holistic vulnerabilities as well. Such an activity might reveal a host of alerting human behaviors with direct impact on the business, such as the sub-standard hiring practices of an essential outside dependency or the characteristics identified as being most commonly associated with malicious insiders, such as an employee with a financial motivation who seeks access to proprietary matters outside of their job function or an employee with a sense of entitlement because he or she feels at least partially responsible for development of their company’s intellectual property (IP).”
Guiliano recommends education through customized training and awareness programs, coupled with a confidential reporting mechanism, to provide an effective solution in the defense of your business that is as important as the traditional (and more expensive) cyber-centric control.”
US-CERT also provided a list of handy tips to protect against insider threats, including no-brainer advice like terminating all accounts associated with an employee or contractor immediately upon dismissal. Companies should also of course change administrative passwords to servers and networks following the release of IT personnel.
Businesses should also terminate any account that individuals do not need to perform their daily job responsibilities, and avoid using shared usernames and passwords for remote desktop protocol clients as well as for multiple platforms, servers or networks.