One of the most significant cybersecurity threats of 2020 came from within. Here’s how your company can respond.
In August 2020, a major ransomware attack was thwarted at Tesla in a story so outlandish that it reads like the script of a Hollywood film. It began in 2016, when a Russian man named Egor Igorevich Kriuchkov befriended a tesla employee. Four years later, they reconnected over WhatsApp, and before long, Kriuchkov had flown to the United States to meet with the employee in person.
After several days spent driving around the Lake Tahoe region, with Kriuchkov generously footing the bill, he finally made his offer: $500,000 to install ransomware software on Tesla’s network.
Instead of taking Kriuchkov up on his offer, the employee reported the affair to management at Tesla. Kriuchkov was later arrested by the FBI trying to flee the country.
As lurid as these details may be, by Kriuchkov’s account, it had worked in the past. More significantly, other insider attacks have succeeded, including a scheme this summer which resulted in the hack of several prominent Twitter accounts.
The strategy of targeting inside employees to enable security threats, known as “social engineering,” is a serious threat, made worse by the methods hackers use to exploit and manipulate their targets. This can make it seem like an impossible problem. After all, how can companies protect their digital infrastructure if the very people who are charged with protecting it could be bought or coerced to turn against them?
In fact, insider attacks are not the silver bullet they first appear to be. Companies can follow cybersecurity best practices to prevent these attacks from taking place, and the tools they have at their disposal to do so are becoming more sophisticated every day. Here are a few steps you can take to protect your own company from inside attacks.
1. Educate your employees.
First and foremost, let’s remember that employees can compromise a company’s digital security through human error, and not through any malicious intent. Having cybersecurity best practices in place will help employees from leaking information by mistake, but so will regular employee training about common hacking tactics.
While social engineering may be a tactic employed against organizations with tight security, at many businesses it is far more effective—and less risky—to employ proven strategies such as spearphishing. Spoofed emails are becoming more intelligent and hard to detect, and companies should take extra care to educate everyone about how to identify them. This is especially true for executives or high-ranking employees with greater information access.
2. Create systems of least access.
Employees can’t leak files they can’t access. The more restricted access to sensitive information is, the less likely it is that it will fall into outside hands.
Most cybersecurity compliance regulations have guidelines in place for how businesses should classify the sensitivity of various kinds of information. NIST security standards, for instance, require businesses to identify Controlled Unclassified Information (CUI), and separate it from information which can be freely shared.
From there, CUI should be separated by department and need of access. There should be no reason for someone in the engineering department to have access to financial records, or for someone in accounting to have access to blueprints.
3. Invest in systems with additional oversight.
In addition to limiting employee access to sensitive files, each employee should have a unique username so that there is transparency about who is accessing that data. This can make it easier to trace any security breech back to its source—which might deter someone from attempting an inside hack in the first place.
In some cases, businesses might also want to require that an employee make a formal request for access to a superior before they can access certain information.
A lot of new Microsoft 365 allows more oversight and control over workstations, including features such as conditional access. This means that, even if someone has a username and password, they can’t access certain files unless they are also at a trusted workstation.
4. Physical security matters.
We’re used to thinking of hacking attempts as taking place online, but some targeted attacks are initiated by in-person activity. Two such common tactics include tailgating and spoofing.
Tailgating is when someone follows someone else in through a restricted entrance. Most of us are so strongly socially conditioned that we will hold the door for someone behind us without even thinking. Even when we know we should ask for proof of identification, doing so feels so rude that employees will avoid doing so, for fear of causing awkwardness.
Spoofing is when a hacker poses as a technician or other hired worker. By positing as a professional, they can trick an employee into giving them physical access to a space.
Like other security measures, the best prevention techniques involve employee education and policy enforcement. Make sure that it is understood that no one is exempt from following these practices.
5. Have a process for removing ex-employees from your system.
Finally, one common issue that many businesses run into is not having a process in place for disavowing access to former employees. A disgruntled employee may retaliate by leaking sensitive information, and this would be bad enough. But as with all security measures, it’s just as likely that a former employee might accidentally be the cause of a security breech.
They may have saved documents to their laptop in an old folder and forgotten about them, or they may have reused a username and password combination several times, before forgetting that it was used on a work account. If that combination is cracked, they may take the time to reset the credentials that they’re still actively using, but they may not even think about the credentials that they used when they were your employee.
To prevent this, it’s important to keep track of what documents each employee has access to, and to remove that access systematically when an employee leaves your organization. The same should be true of any physical hardware your employee possesses.
A culture of cybersecurity isn’t about creating distrust, but about promoting diligence and vigilance.
One of the hardest aspects about discussing cybersecurity measures with an organization is that no one wants to feel like they can’t trust their coworkers—or that they themselves are distrusted by others.
Because of this, it’s very important that organizations go out of their way to discuss why these measures are necessary. The more security becomes a normal part of the culture, the less employees will feel called out.