Insider threats evolving, still main risk

Rogue employees are collaborating with third parties to commit cybercrimes, with their key focus shifting from financial thefts to corporate espionage.

Despite the low publicity, insider threats are still prevalent and a key risk to organizations, with rogue employees moving from working solo to collaborating with external cybercriminals.

Even with the proliferation of new security threats such as advanced persistent threats (APTs), many companies still consider insider threats to be the biggest risk to corporate data, noted Eric Chan, regional technical director of Fortinet South-East Asia and Hong Kong.

A survey released in April this year by network security firm Algosec, for instance, which found that insider threats were still one of the top worries of IT and security professionals, at 27.5 percent, compared to a lack of visibility into applications and networks at 28.7 percent.

Chan said insider threats are still prevalent today because anything stored electronically is easier to steal, especially when one has legitimate access to it.

Such incidents are simply less publicized compared to incidents stemming from external cybercrimimals because companies want to avoid bad publicity , noted Guido Crucq, security solutions general manager at Dimension Data's solutions development group.

From solo to teamwork, financial theft to espionage
According to Crucq, rogue employees are increasingly working with external cybercriminals to commit the deed.

Previously, Chan said insider threats comprised mostly individuals who were working on their own to steal corporate data. Today, organized crime groups and nation states recruit corporate insiders to conduct attacks on critical infrastructure such as power and nuclear plants, he observed.

An example of this is the July 2012 corporate espionage incident on Dutch chemical company, DSM, when infected USB sticks were left in a carpark, Crucq said, adding it had taken place within the organization but had been initiated by an outside group.

Insider threats also have become more sophisticated, evolving from simply "copying a database" to deploying advanced malware to collect information, he said.

The motivations has also shifted from pure financial theft to intellectual property theft, he noted. In some instances, insiders threats attempted to steal both money and corporate data, he remarked.

Factor insider threat into risk management
Over the years, there has been "positive movement" to beef up IT security, Crucq observed.

However, as threats are on the rise and constantly evolving, organizations need to start factoring insider threats into their risk management approaches . These should include conducting applications and systems tests from the view of an insider threat, network segmentation and monitoring of the security environment, he advised.

With business globalization, employees also are working in many parts of the world and it is common when a company hires someone with a different cultural background, Crucq noted. This increases the possibility a company will be unable to do a clearer background check on the employee, hence, increasing the chances an employee will misuse a system, he explained.

Companies should exercise due diligence in hiring candidates, and conduct thorough background checks and in-depth interviews, Crucq advised.

In addition, he said, they should monitor their employees and have processes in place such as limiting access to data and determining how privilege accounts should be handled.

With regard to employee monitoring, he urged companies to be transparent about what they monitor and access to strike a balance between privacy and security.

This is especially important amid the proliferation of bring your own device (BYOD) trend, as companies have to guard their data while ensuring they have the technical means to segregate private information from corporate ones, he explained.

For instance, organizations can encrypt corporate data on the employee's device but not their personal information. If the device is lost, the company can wipe out only corporate data and not the employee's personal information, Crucq said.

Show Comments