Business Intelligence and Investigations
Providing firms with investigative expertise to help resolve conflict.Business Intelligence and Investigations
What does a person posing the most serious threat to your data look like? It’s a commonly asked question to which cyber security specialists will often deliver the same answers.
Threats range from the serious state-level Advanced Persistent Threats, to criminal gangs who hack and steal for financial gain, to "hacktivists" taking offline the websites of large corporates. But the profile of a hacker closest to compromising your own systems is less likely to resemble an army officer, criminal mugshot or even teenager. Rather, he or she could be far closer to your organisation – an insider.
The “Insider Threat”
Findings in Kroll’s 2017 Global Fraud and Risk Report highlight the “insider threat” as paramount. Results across all regions surveyed consistently showed that company insiders from moles, opportunists, contractors, disgruntled employees, and ex-IT personnel all seemed to pose a greater risk to corporate security than state-sponsored hacking.
57% of executives surveyed reported that cyber incidents were perpetrated by insiders, counting permanent employees, ex-staff, freelancers as well as agents and intermediaries – all of whom will have enjoyed privileged access to company data at some point.
Illegal Exfiltration of Data
There are several ways those with access to your internal data, computers and network can do damage to a company’s property, reputation and value. A global fast-moving consumer goods company recently tasked Kroll to investigate the source of an anonymous ransom email containing market-sensitive data.
The email had arrived in the inboxes of several board members amidst a dispute with a former senior-director at the company. After an initial briefing and examination of evidence our hypothesis was clear: the author was highly likely to have been an ex-employee, aided by at least one individual on the inside. Over the course of our forensic review we cross checked several points of critical detail against the hard drives and email accounts of a number of suspects, eventually identifying the channel via which the information had been passed, the source of the leak and the recipient.
Had the client implemented a network monitoring system to detect the traffic of privileged data, this situation might have been avoided. But the additional lesson here concerns the need to prevent employees from being motivated to steal confidential information in the first place.
Nurturing Talent to Reduce Risk
What this investigation highlights is the need for companies to undertake proactive steps to mitigate the insider threat. The scale of the insider threat underscores the importance of nurturing human talent, something all organisations must do in order to excel. Strong adherence to good governance and management protocols will be as relevant to mitigating the risk of employee data theft as IT security reviews.
Insiders may also aid the discovery of cyber incidents and frauds by following whistle-blowing procedures. Almost half of all respondents in our global fraud and risk report said that a recent fraud had been discovered through a whistle-blowing program, and 39% said it had been detected through an internal audit.
Secondly, organisations have a better chance of managing their risk exposure to insiders who are already known to them. They would also be better equipped to run a successful investigation with greater access to and control of the evidence trail inside the company.
How to Protect Yourself
Steps companies can take to address insider threats range from good management practices to IT protocols and include:
Listen to your workforce and communicate with colleagues. Leaders should address sources of grievance before they fully materialise.
Review IT security policies with employees frequently, particularly when new employees are on-boarding. Explain the importance of securing data as the valuable property it is.
Enforce strict privilege rules for file or system access; that way, unauthorised access to sensitive data won’t be an easy phishing expedition.
Application white-listing only allows authorised programmes to run on employees’ computers, helping to prevent infestations of malwares, viruses and worms.
Monitor all databases, logs, and systems, and flag any suspicious or unusual behaviour. Your pro-active vigilance can be the best deterrent to these insider threats.
By Tamsin Lee-Smith, an Associate Director in Kroll's Investigations & Disputes practice.
This article first appeared in Kepsa - Issue 12