Insider threats, both borne out of malicious intent and through mistakes, is a growing security problem for organizations, according to a panel speaking at the Infosecurity Online event.
This is due to a number of factors that have emerged in recent years, one of which is the sheer volume of data now filtering around organizations. Stuart Hirst, principal cloud security engineer at Just Eat, explained: “Most employees have got access to much more data than they might have had in years gone by and then the mechanisms for that data to either be maliciously taken or mistakes has grown as well.
Another factor is the fact that people tend to change jobs far more regularly, including to rival firms. Marina Krotofil, cybersecurity lead, energy industries at ABB, noted: “People tend to change jobs more frequently and try to get ahead so they take information that will be useful for them to advance their careers.”
Krotofil also highlighted how insider threats have become an especially big problem in the critical infrastructure sector, which she has spent a large portion of her career in. A major aspect of this is the growth of outsourcing, expanding an organization’s border. “We suddenly have so many subcontractors, who for the duration of the project become an internal part of the organization, and we share a lot of confidential proprietary information with them,” she commented.
The issue of insider threats has been further exacerbated by the shift to home working brought about by COVID-19 lockdown restrictions this year. Deryck Mitcheson, director of information security at NHS National Services Scotland, highlighted the dangers posed by common staff behaviors that take place whilst home working, such as screens being left unattended and personal devices being used for work purposes.
Having a robust approach to combatting insider threats is therefore critical for a modern organization, and the most important things is buildinf a strong internal cybersecurity culture, which in turn should lead to greater investment in this area. In Mitcheson’s view, the most effective way to achieve this is to clearly outline to board members the business impact of data breaches, such as on shareholder value and financial losses. “Try and speak in business terms to business people around the opportunity of getting good cyber-hygiene and cyber-awareness,” he advised. “When they see it in these terms, they’ll start to invest.”
Hirst agreed, adding: “If you’re going to very senior people, you need to articulate what’s at stake and almost need to scaremonger a little at that level.”
Another important element in building a strong cybersecurity culture is the willingness to communicate openly and transparently when incidents occur, a practice that is still not commonplace. Krotofil explained: “In the majority of organizations I’ve worked in, the incidents are kept secret. So it’s a very limited number of people who are aware of the incident."
She added: “As a result, it’s very difficult to raise awareness and levels of concern that we have to be careful or that we have a problem.”
The panel also discussed how to reduce the risk of insider errors by making user awareness training more engaging for all staff. Mitcheson highlighted how interactive exercises such as gamification and simulation can be highly effective in this regard. “Do it in a fun and engaging way,” he said.
Tailoring training to different teams, especially those that are non-technical is also recommended. Making security relatable to everyday life is something Hirst has found to be effective at Just Eat: “We always try and relate it to real life, so we don’t just want your security mindset to finish at 5 o’clock, we try to help you secure things in your personal life as well and when you take people on that journey and they understand that you get a lot of buy in.”