The threat from within: How businesses can mitigate attacks from outside with awareness on the inside

The threat from within: How businesses can mitigate attacks from outside with awareness on the inside

Daniel Benad, Group Vice President and Regional GM, ANZ and Oceania, Rimini Street asks: “If trusted employees are the biggest threat to data security, does that mean we can never be safe?”

Cybersecurity has been leading the news in Australia in recent months. Seemingly every sector has been hit by an attack, from government departments to banks, telcos, healthcare providers and retailers. According to the ACSC, businesses of all sizes have seen a 14% in cybercrime reports.

Companies no longer doubt it’s not a case of if they will be attacked but when and how.

With the largest recent breaches, we’ve seen personally identifiable information (PII) from employees and customers hacked for sale online or as ransom with a hefty price tag.

Optus’ information was accessed through an application programming interface (API) which was mistakenly left open, potentially for weeks or months. Woolworths’ MyDeal leak and the Medibank breach were both accessed with compromised user credentials. Harcourts, a real estate agency in Melbourne, was breached via a staff member using a personal device to access the database.

Although the method of entry differs between each attack the commonality is the human element.

Verizon’s 2022 Data Breach investigation report found 82% of data breaches include some sort of human component. Whether this be through sharing devices, using unsecure devices, clicking on suspicious links and, in some rare cases, staff intentionally targeting their own organization for malicious purposes.

Daniel Benad, Group Vice President and Regional GM, ANZ and Oceania, Rimini Street

The human part can be difficult for security teams to analyze, especially if it comes down to an innocent mistake from a worker. It’s also difficult to assess the cyber literacy of an entire workplace and deploy the specialist training that these vulnerabilities require.

It can be a nightmare scenario when internal mistakes meet opportunistic external actors.

If trusted employees are the biggest threat to data security, does that mean we can never be safe?

It’s becoming more apparent that while we can’t deter hacking attempts, we can make it harder for cyber-criminals to get in and for data to get out.

Human error should be expected, and it’s something companies need to be prepared for, making comprehensive and continuous cybersecurity education a priority for all organizations.

Businesses need to figure out the holes in its systems, the ones a staff member could mistakenly expose. It can be as simple as working out which apps are the clunkiest, or least user-friendly and only work on certain devices, which inadvertently encourages staff to use their less-secure personal devices.

Many applications, including systems crucial to keep a business running, just aren’t built with security the utmost priority. They are great at serving their specific purposes, but chances are maximum security isn’t core to their design.

Furthermore, acquiring knowledge of the threatscape and learning from others is key to mitigating possible breaches.

Sharing knowledge of threats is a key way to counter them. If your threat analysis only covers a business’ specific set of circumstances, chances are it’s only the tip of the iceberg. If you don’t have the skillsets in-house to do this which, amid an increase in high-profile attacks making cybersecurity skills in high-demand, is understandable – outsourcing to specialist companies becomes a strategic investment without overburdening existing budgets.

Once you’ve built up your internal defenses, the next step is to start tracking who is likely to breach.

To track malicious insiders, businesses need a different line of attack. Malicious insiders probably have the role-appropriate access they need to disrupt business operations or leak corporate information. If you can’t stop them getting access, identifying them is the first step.

Security teams must focus on identifying insiders who intentionally seek to divulge corporate information or disrupt business operations. The task is made more difficult because insiders may have role-appropriate privileges.

Advanced identification approaches are necessary. Tracking indicators and techniques can be used to identify malicious insiders and activity.

That includes analysis of the motivations of someone who is potentially disgruntled at work. Those who may be looking for revenge, an ego boost or some financial gain are the first targets. The quiet quitters and are next on the list. The ASCS says happy staff are less likely to stab you in the back.

There’s no way to stop humans from making mistakes. Even the most highly trained professional will forget to bring their glasses to work and even your most dedicated employee will click on a link their ‘boss’ has sent.

With human error an inevitability, adequate and proactive protections become critical.

Awareness of threats and weaknesses is one of the best ways to counter them.

Organizations need to be constantly updating and assessing their training, checking all their office applications regularly and thinking outside the box – and outside the organization – when it comes to understanding the threatscape. Most importantly, any technology adopted by the business must be adopted with security front-of-mind.

We’ll never stop criminals trying to steal sensitive data. But we can make it as hard as possible for them to do so – making a task not worth the trouble is ultimately the best deterrent.

Browse our latest issue

Intelligent CISO

View Magazine Archive