Hidden Truth About Cyber-Crime: Insider Threats

Uploaded on 2019-02-25 in TECHNOLOGY--Resilience, FREE TO VIEW

Barely a day goes by without reports of another major cyber-attack. Whether the target is an illicit dating site, a leading business, charity or even the British National Health Service (NHS), hackers have demonstrated a level of indiscriminate ruthlessness towards wreaking havoc and stealing confidential information.

The ramifications of these attacks are profound. In September last year, that ride-hailing firm Uber agreed to pay £133m to settle all legal action over the cyber-attack that exposed data from 57m customers and drivers back in 2016.

British Airways was hit in the summer by a breach, affecting 380,000 transactions, involving stolen personal and financial information, but not passport or flight details. Additionally, social media platform Facebook also disclosed that a security breach exposed up to 90m Facebook user accounts in September 2018.

Clearly the problem is not going to go away anytime soon. Last year’s Cyber Security Breaches Survey found that 19% of charities and 43% of businesses had reported cyber security breaches or attacks in the last 12 months alone. This figure rose to seven in 10, or 72%, among large businesses and a similar proportion, 73%, among the largest charities with incomes of £5m or more.

The result of this trend has been a major boost in spending on cybersecurity. Analysis from Gartner has suggested that over $114billion was spent on cyber measures last year, yet successful attacks keep happening. Further data suggested 66% of companies have been successfully breached in the last year alone, with severe consequences.

It’s clear that whilst business leaders recognise there is a problem, research suggests that many have a very limited understanding of the nature of the attacks. Recent research suggested that 61% of CEOs are citing malware as the main cause of data loss when in fact phishing, privilege breaches and compromised passwords are more prevalent.

This cyber blind spot means that many companies have invested in cyber prevention methods, including software and solutions, as well as staff training, yet many are unclear about where these threats arise.

The issue is further inflamed by lax security measures around privilege access, meaning that once a user gets hold of a device, username and password, there are few restrictions around what they can and cannot access.

This is something I have seen time and time again, with many large companies believing that security measures should be framed around the perimeter only. It’s easy for organisations which are not yet operating in the cloud with servers and applications to assume they are safe from harm.

The reality is that unless a business is completely disconnected from the web then it is vulnerable to attack, with malicious hackers able to steal privilege details through brute force or targeted phishing techniques.

Much of the problem stems from the fallacy that the greatest cyber threat to a business comes from an outsider attack, when in fact the opposite is the case. Part of the reason for this is relentless media coverage pointing the finger at foreign nations, international criminal networks and cyber groups determined to cause chaos by any means necessary.

Unfortunately, this assumption of safety means a significant number of IT directors and Chief Information Security Officers (CISOs) still operate believing that traditional security perimeters apply. This is despite the fact that even the use of email accounts changes the game in terms of their company’s security perimeter, putting the safety of the organisation at risk.

Waking up to the reality that the enemy lies within the organisation is the first step towards properly preventing future attacks. We call it Zero Trust, assuming that every user is a potential security threat and mitigating that threat with high levels of proficiency without disrupting productivity.

For example, if a senior member of staff suddenly logs into their account, in a different country or time zone, it’s important that security systems pick this up. It’s also critical that the organisation can alter and manage the privileged access the employee has to confidential data, so that this is reflective of their managerial level.

Failure to adopt this approach could allow a malicious hacker unprecedented access to a goldmine of confidential company information. In which case, by the time the company realises there is a problem, it is already too late.

Many large-scale organisations store critical passwords and data within the company ‘password vault’ and gaining access to this area of the business is seen as a goldmine for would-be hackers.

Yet many security providers in this space would have you believe that gaining access to the relevant passwords and breaking into the company password vault is the be-all-and-end-all of privileged access management.

The reality is companies must now look beyond the password vault in terms of adopting a Zero Trust approach, focusing instead at the individual, their device, log-in activity and question their levels of access to critical company data.

Moving forward, it’s critical that company leaders assume that all employees are a potential threat. Practical steps for this approach must mean authenticating, auditing and granting access when the company is certain that the user is who they say they are.

A healthy sense of paranoia is the only way for organisations to properly protect critical data, this means recognising that the threats can come from any employee or device, at any time.

In an increasingly dangerous digital world, assumptions about user identity is a major risk. Businesses need to think long and hard about who exactly is entering their systems, what they are viewing and the associated security risks.

The hidden truth about cyber-crime is that the majority of companies have no idea about exactly where these threats are coming from.  Failure to wake up to the reality that privilege attacks are one of the biggest risks will leave companies open to major attacks, unable to respond until it’s too late.

Information Age:

You Might Also Read:

Take An Analytical Approach To Cybersecurity Training:

 

« Obsessive Web Browsing Linked To Depression
Lack Of Tech Expertise At Board Level Puts Strategy At Risk »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Janusnet

Janusnet

Janusnet develops software and solutions for organisations to enforce and manage data security.

Managed Security Solutions (MSS)

Managed Security Solutions (MSS)

MSS deliver consultancy services and managed security services for IT departments who may lack the time, resources, or expertise themselves.

Silverskin Information Security

Silverskin Information Security

Silverskin is a cyber attack company that specializes in having knowledge of the attacker's mindset to identify vulnerabilities and build effective and persistent defences.

Xcina Consulting (XCL)

Xcina Consulting (XCL)

Xcina Consulting provides high quality business and technology risk assurance and advisory services.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

Critical Insight

Critical Insight

Critical Insight provide Managed Detection and Response, Vulnerability Detection, and Consulting Services to help you secure your mission-critical systems.

Fortiphyd Logic

Fortiphyd Logic

Fortiphyd Logic equips operators of the power grid, oil & gas, and other critical infrastructure with the tools and training they need to defend their industrial networks from advanced cyberattacks.

Silent Sector

Silent Sector

Silent Sector is a cybersecurity services company that specializes in providing a wide range of managed security services.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

Security Risk Management (SRM)

Security Risk Management (SRM)

SRM provide a comprehensive security risk management service encompassing people, processes, technology, governance, compliance and risk management.

Laneden

Laneden

Laneden specialise in helping organisations identify security concerns and quantify the risks you may have across your assets, using Penetration Testing, Threat Simulation and Compliance Testing.

Occentus Network

Occentus Network

Occentus Network is a telecommunications service provider specialized in High Availability Servers & managed Cloud services.

DESCERT

DESCERT

DESCERT offers you an extended IT, cyber security, risk advisory & compliance audit team which provides strategic guidance, engineering and audit services.

Northern Computer

Northern Computer

Northern Computer provides comprehensive IT solutions that streamline your operations and help you achieve your business goals.

Heyhack

Heyhack

Heyhack is a SOC 2 Type II certified automated penetration testing platform for web apps and APIs.