The Insider Threat

We have all heard about how the insider can wreak havoc on your business. Yet, business owners and other staff don’t understand how much actual damage they can do.

From a Business Security perspective we’ve definitely experienced people in the workplace who:

  • are self-important
  • always in a hurry
  • not focused on the business at hand.

These Insiders can also have a detrimental impact on business security.

Here are 7 types of Insider Threats who make the insider threat real to any organisation.

1. Convenience seekers – bypass protocol, too hard, too busy

We have all seen them in business.   They jump here and there and start a huge number of jobs but never finish them, or finish them haphazardly.

They are more interested in their own work, not in keeping the company safe. Passwords, Updates and scans are usually bypassed. When something goes wrong, it is never their fault. Clicking on an email link without using commonsense is a primary example.

They are the first to complain about the time it takes IT support to remove a virus. By bypassing the organisation’s Cybersecurity, they put the whole organisation in danger.

Solution – get them to slow down, their job is no more important than anyone else’s.

2. The accidental victim – makes mistakes, doesn’t think

These are the people who are too timid at work. They fear making mistakes, but, by fearing reprisals and keeping quiet, they are the victim. The company suffers as well.

The accidental victim is either an older employee, or a new starter. They are very noticeable in not for profit organisations.

Solution – Provide education and training in the use of computers. Explain what’s expected in their role within the organisation.

3. They know everything – oversharing

This person is very good at big-noting themselves. They use their knowledge of the organisation to place themselves in avoidable situations. They overshare critical and confidential information in email. They don’t think about the consequences of sharing on social media and also in meetings.

Solution – separation of information,  restrict access to the information within the organisation.

4. Untouchables – it will not happen to me

We get these type of people in all types of business.  They are the second cousin to number 1.  I am not a target of cybercrime, it will never happen to me because I have nothing worth stealing.

With technology changes over the years, a bored 14 year old can be the attacker. Access to the internet is their tool. Every internet user or business is a target. Anyone can be attacked and everyone needs to take the necessary precautions.

.Solution – providing education and training.

 5. Entitled ones – access to everything because they ‘want to know’

The Entitled employee is one of the most dangerous non-malicious insider. Their laptops or tablets have the organisations secrets and use free wifi in cafes. They have no business reason to keep all that critical information, but they have to have it.

This means that there is a greater risk of the company information either stolen or attacked.

Solution – need to know.  Stop allowing access to data by staff who don’t need it. Segregate it into public, commercial in confidence and critical.   If someone does not need the information then deny access to it.

6. Traitors – malicious insiders

Previous to this one, the insiders have been the result of stupid behaviors. The Malicious Insider is a malicious person. Their focus is on them. For whatever reason, they might intend to leave, have a grudge against the company or an employee. They won’t hesitate to go to your competition with all your corporate data.

Solution – at the first whiff of someone leaving walk them out the door. Don’t keep a bad apple in the basket. 

7. The secret insiders – the bad guys, in the first stages of an attack

These are the true bad guys, the ones you should be protecting your organisation against.  They may have infiltrated your organisation via one of the other insiders, and are now able to do damage. They could have become an insider through social media, email or web based attack. The secret insider isn’t an employee. They are not answering to your policies and procedures. They will damage your organisation, because you don’t have protections.

Solution – increase awareness, do a penetration test and review the report, then do it all again. Regularly.

These Insider Threats are the ones we have come across.   Some can be a combination of one, two or three traits.  The best way to protect yourself from the insider is to pay attention to your staff and your management.

The best way to find out what your organisation needs to do to be safe is to:

1. Use the CareMIT Digital Diagnostic Tool

2. Come to one of our regular quarterly “Security Board Meetings

Why you need a new breed of Business security

Introduction

In the last 20 years, there has been a slow change in how the business approaches the management of the ICT component.

As business and technology changes there have been significant changes in the management process of these systems.   The more complex and costly the systems the more dedicated the support has to be.   We have gone from onsite support from staff (I know computers) to off-site support from a service provider.

SME’s no longer have the resources available to manage their ICT and a new breed of company has been slowly taking more and more control over these parts of your business.

Managed Service Provider (MSP)

Originally these organisations were known as ICT or IT companies.   They were usually run out of hardware and software stores and were more focused on those areas.

It was eventually realized that just managing the hardware and software of small and medium business and not for profit organisations was not enough.   When technology broke, the most organisation still could not afford a technician to come to the site and an IT company need to make their resources go further.

The managed service provider did a number of additional things:

  • They had systems that remotely monitored and managed (RMM) the technology within the organisation.   This allowed them to give feedback to the clients in the way of comprehensive reports on their network
  • They had helpdesk capability to fix issues as they arose from the RMM systems or issues that arose from the users.
  • They started to become proactive, not reactive.
  • In a number of ways they even became vendor managers.  They looked after their clients from the internet down to the user.

Managed Security Service Provider (MSSP)

The business has changed and the requirements for ICT support have changed, the MSP needed to do more.

To be competitive and to be more productive they started adding on services.   These services included if not delivered by the MSP:

  • off site backup,
  • managed firewall,
  • web application firewalls,
  • web site management,
  • managed Anti Virus and many more.

In most cases, they were a bolt-on action to the MSP requirements and were supplied to maximize profit and reduce cost.   In a large number of situations, the customer was not getting value for money because the MSP was tied to a specific vendor.

In the last 5 – 10 years, the bigger the perceived problem with security was the more clients were going to purchase systems from their trusted advised – their MSP.   Once again increasing profits by reducing costs.

Any MSSP that does this is actually exposing their clients to huge problems.   Most of the service level agreements (SLA) reduce this down to “all care no responsibility”

Managed Business security service provider (MBSSP)

SME’s and NFP organisations needed to approach business security in today’s business world from a new direction.

Business security has to be approached from the top down.    Management and board members HAVE to get involved.   Your MSP or MSSP who is not recommending risk management and cybersecurity frameworks is in fact doing a huge disservice to your organisation.

Risk management and a risk management process looks at all of the risks to the organisations and allows you to think and work through the process and deliver strategies to protect the organisation.   It includes the ICT and technology area but there is so much more that has to be incorporated into a risk management plan.

The second part is a cybersecurity framework.   A framework does a number of things:

  • It focuses management on the required tasks to secure the organisation.
  • It removes knee jerk reactions to perceived threats.
  • The more you implement the framework the more secure your organisation.
  • It has to be done with the involvement of all areas of the organisation from management down and from coal face up.
  • It can be managed with reduced costs, expertise and time constraints

Most frameworks have a baseline requirement.   When you start to implement the framework you have to know how secure you are before you can start to improve.   The baseline also allows you to look at priorities within the organisation.

Conclusion

If your organisation is still using an MSP or an MSSP to manage your security without looking at the risk components or without implementing a cybersecurity framework (we recommend the National Institute of Standards and  Technology (NIST) cybersecurity framework) then you need to rethink your business security requirements.

Talk to an organisation that is focused on MBSSP capability.

Secure your business!

Get proactive!

Do the scorecard!

Read your report!

Link to scorecard https://caremit.scoreapp.com

#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec

Its just not business security you have to worry about

Security!   The problem with security especially cybersecurity is it is not sexy.

In most cases, it is downright boring.

Although not sexy and downright boring it is still something that every CEO, manager, owner, and board member has to focus on.

With all of the automated attack vectors available to the cybercriminals, we can no longer say we are not a target.   We cannot say we have nothing worth stealing.

The more and more reliant business has on the digital world the greater the chance that a cyber event will cripple the organisation.

What are the main things that every management type needs to focus on when it comes to prevention of a cyber event?

Here are a few!

The cost of a cyber event.

The cost of a cyber even can range from lost time and functionality within the organisation to more money than the organisation can find to pay for the breach.

Cryptovirus is an example of lost time and functionality.  If you do not have a functioning and tested backup of the data, you have to rebuild the offending device but you will also have to also replicate all of the data.

A full-blown breach by a dedicated black hat hacker can steal everything and then use your system as a platform to target your clients, suppliers and staff.   When that happens you realize that you are NOT too small to be a target

How they get into your system

The go-to weapon of most cyber attacks is social engineering.   Two parts of a very effective attack strategy.   The technology to effect change, follow a link to an infected website, click on an ad in social media or open an attachment in an email, combined with getting you to trust them where you let them in.

Either way, they are now in.

Risk and problems just compounded.

Simple ransomware for instance, the initial encryption of data is only one of the stages of the attack.   What about stage 2,3 and 4.

Wannacry showed us that a combination of 2 attack vectors allowed a single infection to traverse a whole network.  One computer is a problem for any organisation.   All of the computers is a nightmare.

The protection challenges

In most situations managers, owners, executive, and board members do not understand the digital realm.   Risk management of data (a critical component in today’s business world) is often overlooked and considered an ICT problem.

It’s not!   Today’s digital security challenge is everyone’s issue and the sooner it gets noticed as a business risk and treated as such the faster we will see a reduction in attacks.

From the largest organisations to the smallest single entities, we all keep critical data in places that are easily accessed, relatively unprotected and mobile.

What are you doing to manage the expected cyber events that could cripple your organization?

There is no single, simple fix.   If there was everyone would be safe.

It is a complex issue and one needs to dedicate some time, money and expertise to understanding the issues and risk associated with a cyber event.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings

Why your charity is a great target for cybercriminals

You are doing a great job.   You manage, support a small charity, not for profit organisation and love what you do.

Your primary focus is to get as much done for your charity.   It could be donations, volunteers or grants but all for your primary charity focus.

Your whole role is to make sure that as much money goes through to the people in need.

Now I want you to step back and answer a couple of questions.

  • What would happen to all those good intentions if you got hacked?
  • How many of your supporters would you lose if you got hacked?
  • What would happen to your reputation if you got hacked?

But, it would not happen to you, would it?

Let me tell you a not so secret secret!

You are a target!

Maybe not a target of a full-blown black hat attack but you are a target none the less.  The analogy that I use is “what is the chance that a black belt martial arts person is going to beat you up?” Probably very remote!

When it comes to a cyber event, the black hat attacker is not the problem.

The problem is the hugely available and easy to use automated systems that are available for any person with an inclination to use them.

These automated systems create malware, deliver it, track it, monitor it, manage the stages of an attack and manage and control the money being made.   All a “ hacker” has to do is be willing and ethically capable and pull that trigger.

The risk to your charity organisation is significant.

Our attitude to the digital world as it is just a tool and anyone can use it is having a huge negative impact on business because it is not.

I can guarantee that your charity has a board, it has used a legal company for the structure and has an accountant to look at the books, but the most essential component of the organisation is what you put into the digital world.

From desktop computers to smart devices and cloud-based systems and services, the digital world is all around us.

We treat it like the normal world, that is bad.   Theft in the real world is seen and actioned, in the digital world, it is not.   I could have access to all of your data and you may not even know it is happening.

You need to talk to a MBSSP to bring your organisation to a level where your business security will protect the organistion, the data, the users but most importantly your clients, volunteers and supporters.

Without them you cannot function as a charity, and all your good intentions will disappear.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings

Business Security – Don’t do it yourself!

When it comes to business security, most people think that it is a no brainer!

Delegate to the IT department and it is done.

If you want to be a target, maybe get your 2 minutes of fame on the nightly news and want a cyber event to impact your reputation, finances, operations, and legal capability then, by all means, ask the IT department.
Business security is all about the business.   Yes technology and the IT department are a component but they are not the most important component of the requirements to secure the organisation

Business security starts at the top.   Board Members, managers, and owners are required to look at the business and work out where an attack could come from, calculate the destructive effects, mitigate those effects and then implement protective strategies to cover those attacks.

This is very hard to do when your expertise is based on your core business.   Your core business could be anything – legal, finance, manufacturing or even charity based.   You are good at what you do, that means that you are not the best at understanding the problems associated with business security.

This is when you need the Board, management, and owners to look outside their organisations, to people and organisations that focus on business security.   Business security is their core business!

From a management perspective, business security is all about risk.   Risk assessment, risk management and then risk reduction.   Your organisation has to have an understanding of their risk appetite before they can implement change and reduce those risks.

Business today is wholly dependent on the digital.  We would not be able to do business without it.    Each of those digital components has a risk factor requirement.   Do you know what they are?

A business security risk assessment is the first step in Business security.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings“.

Business Security is not just IT

The repercussions of a cyber event will create a serious problem for your oganisation long after the initial threat has been discovered and neutralised.

The bad guys are after everything that they can get their hands on that is not theirs.   They are also targeting anything and everything that has a link to the digital world.

What does not appear in the glossy brochures relating to the next shiny new product is the vulnerabilities that come pre-configured in these new systems.

I am not being nasty, but the pressures to get things to market are enormous and the first thing that is left in the background is security.

To get systems to market they will cut corners, use insecure code or even “borrow” code from other devices bringing their inherent vulnerabilities to their new product.

The wannacry and petya attacks were both perpetrated against a vulnerability that was patched recently but also has been available in most Microsoft operating systems since Windows XP.

The subsystem targeted allows one computer to communicate with another to share files.   There have been a number of vulnerabilities found that have this profile in every operating system.

But what happens if you have succumbed to a cyber event?   How do you improve your Business Security?

There are a number of areas you now have to worry about.

  • The most pressing is the immediate threat.
  • Have they encrypted your files and if so do you have a backup?
  • Has that backup been tested?
  • If you have a back up how will you restore your information and systems?
  • If you have cleaned the system are you sure you have everything?
  • What else has been stolen/accessed?
  • Never ever EVER pay the ransom!  You are dealing with criminals and they cannot be trusted.  If you pay there is no guarantee that you will get your data back
  • I recommend that you start from scratch, but that’s just me.

Short term tactics:

  • Has the event been disclosed,
  • Are you required to tell your clients, staff, customers
  • Has the disclosure had any effect on reputation, on your finances, on your customers, clients and staff. If so what will you now do?
  • I recommend that you do a number of things,
    • change passwords,
    • monitor credit card, and bank accounts.
  • Something that is very important – tell people.

Long term Strategies:

  • Not a person for stats but 60% of SME who have a cyber event will shut their doors within 3 months, a further 50% will shut after 12 months and/or they will be a shadow of what they originally were. (Victimless crime – my arse)
  • Check your Personal Reputation – use google alerts on your name, business name, trade marks.
  • Do a credit check – in some areas you can lock your credit rating, do it!
  • Get someone else to check chat rooms, information for sale and the dark web.

Using Business Security to avoid a cyber event in the first place?   Avoidance is hard, preparation is easy.

  • Have a decent and tested backup of all critical data.
  • encrypt critical data both at rest and in motion
  • use complex, long and unique passwords,
  • PATCH IT ALL,
  • penetration testing with minimal restrictions
  • Get paranoid, be aware and use common sense.
  • Implement a framework (we use NIST),

It is not all doom and gloom, but I can tell you from experience, in the midst of a cyber event, it feels like it.

The best way to counteract a cyber event is to expect to be compromised.

Hope for the best but plan for the worst! 

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings