While Hollywood may love the image of the hacker lurking in the shadows, stealthily pillaging from across cyberspace, the reality is that threats from inside your network, whether intentionally malicious or unintentionally hazardous, are by far the greater problem in online security.
An inside threat can be as innocuous as an employee unknowingly clicking on a seemingly secure link in an email, opening up an opportunity for a malicious and soon-to-be-ex contractor to scorch your servers and sell secrets to your competitors.
A Vormetric study reports that 44% of US companies experienced a data breach or failed compliance audit in the last year. In fact, many of the most newsworthy breaches (like Target, Home Depot, and the Office of Personnel Management) came from internal weaknesses.
Anger meets misconfiguration
Innocuous or intentionally malicious, internal threats appear in the form of disgruntled employees, or those who merely seek to bypass security procedures they perceive as onerous. Misconfiguration of web-based applications or cloud-based infrastructure are all too common. The added insecurity of unvetted, often unsavvy contractors and consultants and the plethora of mobile devices in the workplace make company data ripe for even unsophisticated hackers.
Using these inside weaknesses in your perimeter security, hackers gain access to your networks and exfiltrate sensitive and valuable data. In the case of the infamous Target breach (which resulted in both the CEO and CIO losing their positions), thieves used credentials from one of the corporation’s refrigeration vendors to steal payment information and data from more than 70 million customers. Who would’ve thought that the company providing refrigeration would be the way into your entire internal network?
An ongoing battle
Protection from internal threats requires multi-pronged, ever-evolving approaches. Management and IT security professionals need to start by examining and securing internal weaknesses and recognize them as a major threat. This applies to people as well as computer systems.
1. Organizations need to understand the applications accessing their networks and move past the legacy ideology of “safe” and “unsafe” products
Operating systems have long been proven vehicles for attack. But even products built for safety can be vulnerable, like the recently uncovered flaw in Trend Micro’s antivirus software.
Two of the key elements in security are layering and segmenting. Layers of protection start with your firewall, move through your network and end on with individual users. Segmenting your network prevents intruders from getting everywhere once they break in somewhere. This was one of Target’s mistakes. Safety is not a place one reaches, but a state that requires vigilance. Seeing your network as one amorphous blob does nothing to help secure it.
2. Password protection efforts are only as strong as the passwords themselves–and then only if teams and workers don’t share them in an effort to simplify workflow
Ashley Madison reminded us that the most popular passwords are 123456, abc123 and qwerty. Because passwords are keys to the kingdom in your business, they need complexity. Your systems must note length, content and repetition and should require new passwords at regular intervals.
More than that, companies need to take steps to prevent credential sharing. Single sign-on simplifies logins and cuts down on sharing. Allowing users to login from only one computer at a time also helps. Two-step authentication, especially for access from outside, can significantly reduce hackers’ chances of getting into your network. All this is slightly more inconvenient for employees, but holds exponential benefit for securing your network.
3. Trust contractors (with caveats)
Companies must vet anyone who has access, be it employees or contractors, to ensure that the people using those access points are both ethical and properly trained in how (and why) security protocols are mission-critical. A code of ethics, an acceptable use policy and getting an overview of their company’s IT security are a good place to start. From unidentified USB devices to unsecured wifi networks, employees must realize how they can unwittingly become the entry point for external malware. Teach them the ropes in plain English, and your human factor won’t be as vulnerable.
4. Have an eject button
When workers leave, be sure they’re really gone. Create off-boarding lists for what to do about closing accounts and turning in devices to ensure that they don’t take data access with them. When someone enters your network, make sure they’re found before damage is done, through active breach detection or otherwise. Regular security audits are an essential tool to know who is accessing your network. And be sure to keep up on current vulnerabilities so you can plug any new holes.
5. Educate, educate, educate
Rebooting and being on hold with tech support sums up most people’s experience with IT. The average person does not understand the intricacies and threats to network security. IT departments need to continually educate workers with short, 5- to 10-minute presentations on topics from passwords to email attachments to BYOD. Remember that the Sony hack was made possible by a worker pulling an email out of their junk folder and opening the attachment. Securing the human factor is the hardest, but most rewarding part of IT security.
The good news
After years of chaos inside of the perimeter, teams can now access more mature network detection tools. The cloud and data analytics make it possible to identify breaches before any damage done, and remediate them without incident. As breaches continue to infiltrate every facet of business and life, accessing the most modern protections available will continue to be worth its weight in (data) gold.