The news and media often highlights vulnerabilities, malware, and negligent employee breaches as the only dangers organizations face, overlooking costlier insider threats. Surprisingly, stolen records for insider threats in the US cost $230 which is more than breaches caused by system glitches ($142) and human error ($134). Insider threats alone cost the US $40 billion in losses. Two recent examples of insider threat illustrate how former and current employees can damage a business.
Insider threats don’t always come from current employees; they can come from former employees. In 2014, a Winchester-based company laid-off an IT department employee. The disgruntled former employee remotely accessed the company’s network using another employee’s log-on credentials, deleted important files, and disabled some of the company’s accounts. His actions cost the company almost $62, 000.
In a Vectra survey, 41% of cybersecurity professionals marked IT personnel as one of the biggest potential insider threats, which isn’t too surprising considering IT departments have access to the company’s network, oftentimes including employee log-on credentials.
The obvious question may be, “Well, why didn’t the company deactivate the employee’s access when he was let go?” But the company did deactivate his access to their internal systems—that wasn’t enough. When the well-connected employee left, the company should have had all the employees change their passwords, especially admin passwords to servers and networks. This precautionary measure may have helped the company prevent the attack.
Two-factor authentication could have helped in this situation as well. If the former employee used another employee’s credentials, it is highly unlikely he/she could have produced the second factor, preventing thousands of dollars in damage. This best practice is easy to implement and adds a layer of security.
Unlike the first example, these inside attackers weren’t motivated by revenge. Instead, they wanted to make a quick buck. A California-based company paid three AT&T employees to not only install malware on the company’s internal network, but also to modify the malware during different stages of the attack. All of this was done on the company’s computers while the employees worked in an AT&T call center.
Once the information is collected and collated, system admins can investigate whether or not behaviors outside of the norm are indicators of potential insider threats or false positives.
Hindsight is always 20/20; it’s easy to discuss another company’s failures and how they could improve. However, there is a lot to learn from others’ mistakes. These are only two examples to show how insiders pose threats. Following best practices, such as requiring employees to use strong passwords, enabling two-factor authentication, locking out user accounts after a number of failed attempts, etc. can mitigate insider threats.