Beware the insider threat in the war against cybercrime

Jon-Louis Heimerl, manager of the threat intelligence communication team at NTT Security, tells how to improve your defences against cybercriminals

The desire to bolster cybersecurity may be jumping up the list of priorities in boardrooms across the UK, given the uncomfortable rash of headline-making attacks in 2017. However, shoring up defences against external dangers is not enough on its own.

Few in the C-suite realise the potential risks of the so-called insider threat, not least because it is not always who you think it will be. The insider threat can be more lethal because once hackers have authorised access they can run riot.

NTT Security’s latest Threat Intelligence Report, published in November, highlights that about 10 per cent of the incidents we have dealt with this year have been related to insider breaches. In truth, the percentage may be even higher; companies don’t always know when they have been compromised, especially if the attack is triggered internally, whether intentional or not, and limited alarms are set off because the hacker often has authorised access.

Recently we had a new client who took two years to realise hackers had breached their system and the average detection time is thought to be around 190 days. While undetected, cybercriminals can access essential digital assets and sensitive data, such as payroll details, research-and-development plans and anything of value, if the right precautions have not been taken.

Since the beginning of 2016, only about 25 per cent of insider breaches with which NTT Security has been involved have been related to overtly hostile activity, specifically an inside attacker stealing corporate resources or information. The remaining 75 per cent of insider activity has been either accidental or negligent.

Unfortunately, accidents happen every day in the workplace. It can be something as seemingly trivial as mistakenly sending an email to someone thanks to a slip on the keyboard. Negligence mostly occurs when system administrators fail to back up properly, use patches or update applications as quickly as possible. Similarly, catching malicious insider threats is usually down to good management.

Consider that, on average, around 70 per cent of employees can access digital assets they shouldn’t be allowed to. A majority of companies have not yet taken the steps to limit this exposure, though the introduction of the General Data Protection Regulation in May should encourage organisations to tighten their defences.

In your office you might have access to human resources records, payroll or other files you don’t necessarily need. If you have highly sensitive information critical to your operation, and it is not segregated from other parts of the network, then that is problematic.

At NTT Security, we perform a variety of assessment services and you would be shocked at the number of times we are able to penetrate organisations with ease. Too often they have an internal structure which is completely flat; there is no segregation and only limited data protection.

To minimise the impact of insider threats, one of the most important things an organisation can do is segregate their information by using sub-networks in protected internal networks. This system can be simple for a chief information security officer to employ and cost effective. Crucially, it means that even if hackers come on to your network and gain a foothold, they will have to breach your internal subnets before they can succeed in exfiltrating valuable data.

Elevated security controls will help make sure users can’t stroll from segment to segment. In addition, you need to establish a good authorisation password, and carefully and constantly monitor who should have control and access to a certain subnet. This is not necessarily a hard job, but it can take some time because you have to keep an eye on a lot of moving pieces. Anything we do to protect against the hacker at that level is also helping to limit an insider breach, whether it is accidental, caused by negligence or deliberate.

A final point to stress is that crisis planning is vital. If you are breached, from inside or out, you want to deal with it in the most efficient way, and that comes with practising and firming up necessary processes, including your incident-response handling. The longer it takes to deal with a cybersecurity issue, the more damaging it can be, especially when the GDPR comes into force, both financially and in terms of brand reputation. Ultimately, it is imperative not to make it easy for the criminals, from the inside out.

Download the NTT Security GTIC 2017 Q3 Threat Intelligence Report: