While this is the plot of American drama series Mr. Robot, Hollywood (and at times Bollywood too) is regularly amused by the concept of insiders, not just because they make for intriguing plot-points but because they are a real threat! Take a real-life example, two employees of General Electric (GE) downloaded thousands of files with trade secrets on calibrating the turbines from GE’s servers and sent them to private email addresses or uploaded them to the cloud. They also convinced an administrator to grant access to data they did not have access to. With the stolen intellectual property in hand, one of them founded a company and competed with GE! However, after several years of investigation, the insiders were convicted and sentenced to prison time and $1.4 million in restitution to General Electric, in 2020.
The GE example is a perfect blend of the multiple ways an insider can be a threat. Malicious intent, negligence, and credential theft, all of which are the topmost attack vectors according to the IBM Cost of Insider Threats 2020 report, can be appreciated in the GE event. They say that if an insider turns rogue there is little an organization can do to prevent a breach. “It is always the one closest to you that hurts you the most.” However, the one vector which is in total control of an organization but managed the worst is employee negligence. Even when negligence accounts for 99% of breaches, the only way organizations are curbing this vector is through mundane phishing simulations, uni-directional classroom training sessions and the result is frankly, dismal. If it weren’t so, how did one of the biggest Silicon-Valley based companies’ employees fall prey to a mass sphere-phishing campaign? In the Twitter attack fiasco, hackers gathered information on employees working from home, contacted them, introduced themselves as IT administrators, and asked for user credentials, which they received!
Why is it neglected?
The reason the biggest source of insider threats is still the massive, despite decades of trying to curb it is because it needs a systematic re-engineering of human nature. For instance, we instinctively look left and right before crossing the road because we have the fear of an accident ingrained as a part of survival. However, the current generation of employees has grown up surrounded by the internet without ever being taught to navigate it safely. As a result, they have never developed an instinct to prevent an accident.
Organizations are doing their best to limit insider attacks through security incident and event management, user training and awareness, Privileged Access Management (PAM), and User and Entity Behavior Analytics (UEBA), but failing because they aren’t hitting the nail on the head. While these modalities are more suited to address malicious intent, negligence is simply too large a vector to leave up to chance especially when it is the only vector that can be ~99% prevented. Rather than focus on what may happen (criminal insider threat), organizations should shift focus to what will definitely happen and take concrete steps to avoid it!
Change the narrative
Organizations need to do away with boring cyber awareness initiatives and cater to the audience they intend to educate. They’re too smart to be fooled by standard one-time phishing simulations but gullible enough to post sensitive data on social media. We need to reach a point where the average employee hesitates before downloading anything or stops before clicking on a link… the way they hesitate before running barefoot on a cement road on a sunny summer afternoon! The brain has to register threats before acknowledging they exist. Snappy, engaging content is the mantra of the hour and cybersecurity needs to get on that train. Such nano-content should not only engage but also re-calibrate the subconscious of the employee. It needs to be re-inforced by playing to the competitive streak in this generation – pit employees’ cyber-awareness ‘quotient’ against one-another and make it a sport. Take away the obligation of one-time training and make it routine.
Companies need a better method to track negligence, in real-time. They need to take control and have a risk-driven approach rather than accept negligence as an excuse. This approach needs to include but not be limited to
Scanning the deep and dark web for credential exposures of each employee and monitoring employee behavior patterns to link if they’ve been hacked by cybercriminals who might have taken over their business accounts.
With an objective means to analyze any and every user activity, it also allows organizations to track improvements and deterioration, helping them streamline awareness programs to the weakest links.
Another advantage is that enterprises can personalize notifications based on ‘drops’ in scores- reducing negligence-related slip-ups, even from security teams.
The combined effort to tackle negligence from employees and organizations is the solution. Imagine the drop in inadvertent data breaches if the largest contributor to it is reduced! Organizations should first try to curb what is in their complete control rather than firing bullets in the dark in the hope of preventing a breach. A negligent employee can be transformed into a conscientious one with the help of tools and platforms that are already available. The journey may be long but the destination is well worth the travel.
(The writer is co-founder, Safe Security)
Download The Economic Times News App to get Daily Market Updates & Live Business News.