Security threats: Insider witch hunt
7 February 2018 | 0
Insider threats are nothing new in terms of corporate security. Since the earliest days of business, there has always been a risk that a trusted employee might leave and take valuable intelligence with them, along with all their contacts.
However, the advent of digital technology has introduced a new kind of insider threat — the inadvertent danger posed by well-meaning employees clicking links they should not, unchanging passwords, and leaving valuable USB sticks crammed full of data lying around.
Faced with these challenges, companies trying to protect themselves are in something of a quandary. In an ideal world, you could just assign digital assets to monitor everyone all the time. But privacy concerns rightly prevent this degree of surveillance. How can this square be circled? Not without a lot of hard work, appears to be the answer.
Privacy versus security
“When people talk about privacy versus security, it’s important to remember that we all want to systems to be as secure as humanly possible. But occasionally you have to give up a bit of privacy to do that,” said Dermot Williams, managing director of Threatscape. “If you give people 100% unfettered privacy, you actually can’t also give them 100% security.”
According to Williams, whenever his company is called in to help a company it has not worked with previously that has fallen victim to a ransomware attack, he can predict that that one of two things will have happened.
“Almost inevitably, the root cause when we do forensics is that either an email message was able to reach an individual’s inbox with malicious code that they then accessed inadvertently, or users were able to surf the Web and access web sites externally which the company wasn’t filtering. It’s that simple,” he said.
“If the company’s firewall doesn’t do what we call the ‘man in the middle’ bit, whereby it decrypts what’s coming in, has a look at it, makes sure it’s happy and then passes it on its merry way, then they are playing with fire because it means that any individual user inside the organisation can access the nastiest of the nasty out there on the Web.”
The lesson is straightforward. If you allow arbitrary executable programme code to reach individual computers in your company, you cannot rely solely on a last line of defence such as an antivirus programme.
Meanwhile, a variety of regulations govern just what data a company can gather on its employees and what that data can be used for. The introduction into law of the general data protection regulation (GDPR) later this year also carries implications for the security measures companies use to protect themselves against insider threats.
“GDPR is all about protecting the individual’s privacy and companies can get fined if they are too blasé about that. For instance, companies should absolutely be doing SSL decryption at their firewall and they should be making sure that all content coming in is being scanned for security threats,” said Williams.
“But they can put an exception list in place reasonably easily with modern security platforms that says that if somebody’s accessing a financial institution, for example, we’re not going to look at that activity. It’s not our business if they’re accessing that, or perhaps something like a health-related system.”
This means taking on board that small tiny risk that Bank of X might get breached and have malware on its site, but it is worth it.
“It’s not our business to be looking at people’s online banking. And that’s the side most pragmatic people are now coming down on this in terms of how they’re approaching things — they know that most computer access in terms of email and web needs to be looked at, but they also know it’s possible to do that sensitively.”
So just how far can a company go in terms of monitoring its own staff to protect against internal threats? Quite far, apparently.
“You can go further here than in jurisdictions such as Germany and France. But the key thing is that firstly, staff understand that you are doing it and that it’s transparent, and secondly, that staff effectively understand what you might do with the data arising from your monitoring,” said Colin Rooney, a partner with the Arthur Cox law firm. “So, for example, if you are monitoring your staff’s data purely for security perspective, then you can’t later decide to use the same information for disciplinary purposes, if an issue arises.”
The classic example in this area concerns close circuit TV (CCTV). If a company has CCTV installed to protect against, for example, trespassing but subsequently realises that the system has recorded images of staff pilfering or perhaps bullying on the premises, the footage will not be admissible in court unless staff were notified in advance that the footage might be used for this purpose.
The principle of monitoring staff is the same, whether it is a CCTV system, or a digital system recording the activities of staff online. In order to fully protect itself, it is crucial that any company monitoring its staff’s digital behaviour makes sure that the individuals concerned fully understand through privacy notices or privacy statements what is being monitored, why they are being monitored and what that means for them.
“You need to make sure any monitoring you’re doing is proportionate, that it is transparent and that you live within the boundaries of what you said you were going to do in the first instance,” said Rooney. “If you are tracking someone’s use of social media or the Internet in the workplace, or their telephone calls, that can be very intrusive. It’s a bit like opening their post. Whatever way you are going about tracking them or monitoring their behaviour, the same principles will apply.”
Rooney reference a case before the European Court of Justice some time ago which got widely reported, but which he feels was not represented correctly in the media.
“It was a very confusing case because in the first instance, there was an impression given that it meant that any kind of monitoring in the workplace was not possible. But in fact, what the court said was that monitoring in the workplace is possible, but needs to be proportionate,” he said.
Companies that help others deal with the implications of the GDPR recommend that staff be trained to recognise their responsibilities in this area. According to Gerry Morley, director of Tech Guard, there is an important point to be made around attempting to tackle the insider threat, so as to protect the privacy of its staff and customers.
“A key step businesses will need to take, and a step requested by the GDPR, is to undertake ongoing security awareness training and data protection training of employees who handle personal data. There is an onus on the business to make their staff aware of how to stay safe online, and how to proactively identify threats such as phishing emails in order to protect the personal data held by the company,” he said.
“There is a general unawareness among people that we’ve been talking to outside our own client base, in terms of what exactly the GDPR entails around privacy. GDPR is a very complex regulation and is vague in a lot of parts, and a lot of companies are finding it difficult to find out exactly what are the privacy requirements and responsibilities.”
As has been said before, in an ideal world a company seeking to protect itself from insider threats could just put in place monitoring to watch its staff. But that is no longer as legally viable as it might once have been.
“No, it’s definitely not that simple anymore. There are certain areas that you can monitor and certain areas that you can’t in terms of tracking all activities, be it personal and work-based activities, when they’re in the workplace and on the network. But we have found that a lot of companies are actually unaware of two aspects of this,” said Morley.
The first is the threat that an ‘insider’ might pose in the event that an employee goes rogue, perhaps wants to leave the premises with a USB stick, or are unhappy with the company for some reason. The data they want to take could be customer data, employee or colleagues’ information and there may be serious implications for the company for letting that happen.
The other insider threat, according to Morley, is from employees who inadvertently click on a link in an email which bypasses the antivirus scanner and firewall.
“This in itself could cause a data breach. As well as encrypting the data on the machine, some of the latest ransomware viruses also upload a copy of the data so the hacker can blackmail the client by threatening to publish the data online,” he said. “We found that a lot of companies that we talk to don’t really fully understand how that can happen or what their responsibilities are in that case.”
A potential problem for companies trying to protect themselves from insider threats is that too much security can become paralysing. It can, in fact, lead to the very thing it is designed to prevent — risky behaviour.
“When it comes to dealing with the insider threat, what you’re trying to do, first and foremost, is put in place a set of preventative controls, to prevent either inadvertent data loss or malicious data loss or misuse,” said Pat Larkin, chief executive of Ward Solutions.
“What you’re looking to do is to try to change culture, because it’s really about the behaviour of people. You can go to huge lengths to deploy technology and technical controls to try to deal with preventing an insider event occurring, but if the culture isn’t right, you get very limited results.”
According to Larkin, if companies deploy security and monitoring measures to the ultimate degree, they can end up creating a non-workable set of circumstances for employees.
“If you restrict access to data, or make people go through levels of authorisation to access the data they need to do their job, then usually what that fosters are all sorts of workarounds that lead to high-risk behaviour,” he said. “If you make it very difficult for people to do their job, then they will inevitably either down tools and not do it, or will find other ways of getting around the controls that have been put in place. That’s when you find stick-it notes with passwords stuck to monitors and Dropbox folders in the cloud with company data in them.”
It is far more effective, in the experience of Larkin, to promote better corporate security culture.
“What you’re trying to achieve is the human firewall — a level of awareness among staff from the top to the bottom of the importance of vigilance. Whether it’s the chief executive that is targeted or the accounts receivable or payable department, or the IT admin or whoever, in the majority of cases they all want to do a good job,” he said.
“If you explain to them the real business risk associated with risky behaviour, they’re happy to change. When you explain to them that the costs can be enormous of falling victim to a security threat, and that the security that is in place is there to protect them and their jobs, not restrict their freedom or make their lives difficult, then you get a degree of buy-in you won’t otherwise get.”