Author: Jan Tissler
The best security measures can be ineffective when the attack is from the inside. In this respect, the problem areas range from malware in emails through to social engineering. In this article, we highlight ways in which you can protect yourself against such traps.
IT security is struggling with a growing problem that isn’t always easy to fix: in 34 percent of all data glitches in 2018, the attack came from within. This is based on figures from the Verizon 2019 Data Breach Investigations Report. In 2016, the same figure was 25 percent. These cases are sometimes caused by a frustrated employee who deliberately wants to cause harm to his or her (former) employer. Often, however, it is carelessness or simple ignorance which triggers the problem. In this case, those responsible for IT security find themselves in a dilemma: after all, employees need access to certain data to be able to do their job. Meanwhile, things that are strongly protected from outside influence can invariably be accessed officially from the inside. There are also ways and means of securing these potential access gateways, however.
The email access gateway
A virus scanner is invariably part of the basic equipment in the organisations of today. However, it is only ever able to fend off known pests, and cannot therefore offer one hundred percent protection. It is therefore important to draw the attention of all the employees to this risk and to train them accordingly. This is aggravated by the fact that emails with malware are no longer as easy to recognise today as they were in the past. The "German Wiper” malware, for example, disguises itself very credibly as an unsolicited job application. It is also easy to fake the sender of an email so that it appears to have originated from a known contact. These tricks, and others, should be known by everyone in the organisation. Phishing is another tactic which still works. In the case of the attack on Sony a few years ago, for instance, an email pretended that it was necessary to reset the target person's Apple ID. This proved to be the starting point for an attack which was ultimately successful. In this case, for example, clear rules are required to ensure that that login data is never entered after clicking on a link in an email.
Another attack-related tactic, along similar lines, exploits human weakness: social engineering means outwitting a person with psychological tricks with the goal of gaining hold of sensitive information. After all, who wouldn't want to help out a customer who's in an emergency? Or to pass on information to the relative of a colleague? It is therefore necessary to state clearly what information may be disclosed to whom, and under which conditions. Unannounced checks should also be made to ensure that these rules are being observed.
Careless handling of software, hardware and services
Another hazard: employees are frequently unaware of the problems that certain known applications and devices can pose in the corporate environment. In the past, security researchers have even found sensitive data on hardware that they bought on eBay, for instance. After all, photocopiers and fax machines have internal memories that can be easily overlooked. There are also cases in which employees are not satisfied with the company tools and switch to external devices with which they are familiar from their lives outside the workplace. However, these don’t just pose problems with regards to security, but also in terms of compliance. These points must also be communicated clearly to everyone in the organisation.
Partners and external service providers
Third parties can also become "insiders". These third parties include companies and service providers with whom the organisation cooperates. And they, too, sometimes need access to information and data in order to complete their tasks. Or they gain access for other reasons: for example, a data leak at the US shopping chain Target occurred through a service company for air conditioning and refrigeration systems.
Extensive access rights
No company should rely wholly on training, protective software and clear rules alone. Rather, it should always be ensured that all employees and partners only have the specific access rights that they actually need. This isn’t always easy, because these days, people change jobs more frequently than they did in the past. Employees come and go, or they change their remit. Trainees and apprentices are another example: they often work in several different departments, and can accumulate access rights that are almost the same as those of an administrator. In this respect, IT security must be prepared to provide and withdraw the access rights in one go.
Another thing that shouldn’t be underestimated in this context is the fact that cyber criminals can invest a lot of patience and time in their work. They frequently refrain from approaching their actual target straight away. Their attack can start with the smallest steps and in places that are not considered at risk. In the field of social engineering, the initial information is often picked up casually before then being used in the next step – and so on, until the perpetrator has made their way to the “nerve centre”. It is therefore exceptionally important for all employees to be aware of the potential risks, and not just the employees who are directly involved with sensitive data and information.