Security threats are the hottest topic right now. When security professionals talk about threats, you almost always hear about external threats – hackers, cybercriminals, state-sponsored actors, cyber-spies, scammers, fraudsters, script-kiddies, etc. – as if the only focus should be on outsiders attacking businesses. While these are certainly legitimate threats, the often-overlooked insider threat is just as damaging and not always understood.
When the term ‘insider threat’ is mentioned, it may evoke images of Edward Snowden or perhaps even Dan Ellsberg. These are examples of insiders that intentionally breach data. But what about an employee that releases information unintentionally and may even be unaware that they caused a data breach? The insider can simply complete the job that an external hacker started.
Here is an all-too-common scenario: An employee receives a fraudulent email that appears to be from a member of management, perhaps even the CEO. The employee is being directed to either wire money, click an attachment or link, or reply to the email with sensitive information. Acting in good faith (after all, you have to do what the boss says, right?), the employee complies with the request and one or more of the following happens:
- An attachment is opened and exposes the network to a land-and-expand ransomware attack.
- A link is clicked in the email and exposes the network to a key logger that captures everything the employee types – including login credentials to critical applications with sensitive data.
- Money is wired to a fraudulent account that will quickly be emptied and closed.
- The email is replied to with confidential information such as network credentials, W2s, client lists, financials, etc.
This is known as Business Email Compromise (BEC) or CEO Fraud. Because the employee didn’t verify the authenticity of the email that appeared to come from the boss, the business’s security was compromised and the employee unwittingly became an insider threat.
Luckily, there are ways to reduce the impact of the unintentional insider threat. First, create a culture of security awareness in your business. This is not an overnight fix and is not a one-and-done, check-the-box, annual security awareness training session. Creating a culture of security awareness is attained by security education from top management, continually testing employees to determine if they will click links and attachments in emails, and having frequent follow up training to reinforce the security message.
Secondly, reward employees that identify potential security traps. It is much cheaper to have a monthly or quarterly drawing for a gift card to reward employees that spot and flag potentially malicious emails, than to clean up the aftermath of a security breach.
If you still need help mitigating cyber security risks, ProTech can help design and implement a plan based on your specific business needs. Contact us now!