5 September 2016 · By David Lello
It is an undeniable fact that in today's digital world, we are all pretty much reliant on information technology and the Internet to run our businesses. It is also a fact that it is not "if" but "when" will our IT Infrastructure and business applications be under attack.
Once you’ve addressed the insider threats within your organisation, you can turn your attention to external cyber threats
Before you even begin to address the dark world of cybercrime or sponsored attacks, plotting to compromise your IT systems; you should first remember that cyber security begins at home. By home, I mean the business owners, their senior managers, their staff and their third party contractors.
It is a salient point that security breaches by staff or third party contractors – whether malicious or accidental – are one of the largest sources of cyber-attacks on an organisation's systems. And cyber criminals will seek out the weak points in your organisation as these present the easiest opportunities for attack.
How can I ensure my systems are safe from within?
Before we look at solutions, we must understand the various ways in which employees and contractors can be responsible for security breaches.
Careless employees – Obvious examples of careless behaviour include: staff who use weak passwords, staff who surf unauthorised websites and staff who click on links or open attachments in suspicious emails. Then there are staff who don't take proper care of their personal or company devices.
Vengeful ex-employees – This happens more than you might think as ex-employees believe they won't be caught. This is especially so if they had access to systems, networks and databases with privileged passwords.
BYOD (Bring Your Own Device) – The fact that a firm's information is shared to or copied onto personal devices creates an inherent risk of theft. Passwords on personal devices are often weaker than those used at the workplace, making them vulnerable to hacking.
Unauthorised devices to the network – Many don’t think twice about connecting their own devices to the company IT infrastructure. This can facilitate the introduction of malware into the organisation’s systems, or provide an entry point for a hacker.
Third party service providers – Service providers are often an important part of your extended team but can pose a risk if their security practices are not as rigid as your own. It is not unusual for contractors to use a single or shared password for all their employees – and often the password used is weak to facilitate new staff.
This makes the potential theft of login details relatively simple – often simply by guessing.
Here's what you can do to minimise this threat.
(1) Employee vetting – All staff must be thoroughly vetted for honesty. For sensitive positions, police criminal checks should be undertaken. You must also ensure that your third party contractors have similarly vetted their own staff.
(2) Training and education – Have well-documented procedures that provides training for all staff. Educate them on the need for strong security and the implications of careless or bad password management. Awareness and training exercises should include education about scams such as phishing and key logger scams. Consider introducing a password management system and deploy validated encryption as part of your strategy. In highly sensitive situations you might consider the introduction of two-step authorisation.
(3) Introduce a strict password cancellation policy for ex-staff – Ensure that proper procedures are in place so that all passwords are immediately cancelled for any employee leaving the company.
(4) Have a clear BYOD policy – This should be a carefully written document that spells out exactly what employees can and can't do with their devices. This will include such FAQ's as: Can they download company documents, emails or business data? Can they download personal applications onto company networks? Implement systems to monitor mobile devices. This will reduce risks if a device is lost or stolen. Encryption and containerisation of data on devices can also form part of an overall solution.
(5) Introduce a "no tinkering" policy – No unauthorised tinkering with the company's systems should be allowed and specifically no devices, USBs etc. should be connected without first being checked by your IT security team.
(6) Insist that all third party contractors have acceptable security procedures – All service providers must implement "best practice" as far as password security is concerned. Monitor the contractor's security procedures and immediately cancel all access passwords as soon as a provider has ceased working for you.
(7) Monitor and report – Violations of the policies can be monitored and actions taken to identify and stop real damage from occurring. While tools and techniques can be quite complex, to manage out the numerous false-positives (security events that are benign) much can be done by simply monitoring for internal threat scenarios that could be most damaging to your business. Ensure that a well-defined incident management procedure is in place to back up the management of a security violation and that there is a disciplinary procedure in place to deal with employees and contractors who would compromise the security of your organisation.
Once you’ve addressed the insider threats within your organisation, you can turn your attention to external cyber threats.