The University of Oxford's Sadie Creese on The Insider Threat in Cybersecurity
Access to 40 million payment card numbers and personal data of 70 million people. That’s what cyber criminals made out with in the 2013 Target cyber attack.
Most hackers have sophisticated tools to break into even the most impenetrable cyber security systems, and enterprise companies typically have several cyber security measures in place to avoid this from happening.
So, how do they usually break in? Through an insider -employees, vendors, anyone who has access to the company through means like access cards or digitals passwords, regardless of whether they have malicious intent or not.
Cyber thieves used the credentials of a refrigeration vendor that worked for Target to carry out one of the most infamous cyberattacks of the last decade, one that cost the company $300 million including multiple settlements.
According to Sadie Creese, the “threat of the insider” is a real, growing and underreported sector of cybersecurity. Prof. Creese is the foremost authority on the operational aspects of cybersecurity, including threat detection, risk assessment and security architectures. She is also the programme director of Oxford Cyber Security for Business Leaders Programme.
A cyber strategy that challenges conventional practices
Prof. Creese led an international research project sponsored by the MI5's Centre for the Protection of National Infrastructure (CPNI) aimed at improving “the ability of organisations to uncover and neutralise threats from insiders.” The 16-member team, which consisted of security specialists, criminologists, psychologists and others, uncovered findingsthat showed many established cybersecurity practices don’t always work. A few examples:
Access Control-- prohibiting employees from using office devices for personal reasons won’t prevent them from stealing assets.
Vulnerability Management-- Virus checkers or malware detectors don’t work against insider threats with legitimate access codes.
Strong Boundary Protection -- Storing critical information within hardened perimeters won’t prevent access by those who have authority.
Password Policy -- A strong password policy often means passwords often end up on Post-it notes.
Awareness Programs-- Employees won’t divine cyber awareness by looking over the company IT policy periodically.
Thecomplex nature of cyberspace often means that businesses - and even national infrastructures - who are critically dependent on cyberspace have very little understanding of it.
Prof. Creese says, “As citizens, we need to have an eye on our own roles in protecting those infrastructures. If I’m a staff member at one of those corporations, I have to understand how I fit into the picture of keeping those organisations running.”
Immediate steps to mitigate insider threats to cybersecurity
Implement a comprehensive insider policy applicable to everyone with access to the company’s digital assets, from third-party vendors to the C-suite. Provide employees the right tools and training to make enforcing the policies easy and safe.
Raise awareness of prevalent cybercrimes, the tools and tricks of the hackers’ arsenal, such as phony emails asking for access codes or using a USB drive in an office that typically uses a network for data and software access.
Be mindful of cyber threats when hiring, whether that’s looking out for a candidate’s criminal background, personality traits or assessment of cyber safety awareness.
Adopt stringent subcontracting processes because any organisation is vulnerable to the risks associated with their vendors’ networks. Work only with suppliers who share your culture of mitigating cyber risks.
Monitor employees and let them know that their cyber activity is under surveillance. Routers and firewalls can monitor outgoing channels, but conducting spot checks or regular physical checks may be necessary for other methods of exfiltration, such as flash drives and printouts.
According to Prof. Creese, “cybersecurity is about balance, risk-management and understanding whether you are secure enough to do what you need to do. The leaders of enterprises large and small need everyone in the organization to be involved.”