How to be Effective in the Wake of a Cyberattack

Helping you be prepared if an attack happens

• By Isaac Kohen
• Oct 23, 2017

We now live in an age where cyberattacks are the norm. Large or small, the question is not if you will be attacked, but when?  Once the attack happens, will you be prepared for it? Asking these questions will keep your business operating these days. It has been years and, for experts, insider threats still remain at the top of cybersecurity concerns. Clearly the deadly combination of insider threats and cyberattacks is not going away anytime soon. According to a report released last year by PwC, cyberattacks have only been growing across all industries, by 38 percent, specifically.  Couple insider threats with the rise of ransomware, and you're looking at a dangerous digital world that could bring your real operations to a grinding halt. By now, you may be asking what an “insider” is and – by extension – an insider threat.

Put simply, an insider threat is a security threat that came from within an organization rather than outside. Insiders come in the form of employees, managers, officers and privileged third parties. Insiders cause different types of data breaches which can be categorized into spills, leaks, espionage or outright sabotage. The main reason why insider threat is still a top concern among cybersecurity experts is because it is a people issue, not a technological one. However, there are plenty of technological solutions that can help you prevent insider incidents and data breaches. Before we explore those, let’s see how insiders have impacted companies in 2017 so far.

2017 Context of Insider Threats

Insider threats continue to plague business. For the longest time, insider threats had been focused around malicious insiders. However, in the last two years, studies have shown that the malicious actor in an organization has decreased. Instead, insider incidents have mainly been due to negligent staff. Some of the most recent incidents come from the Washington University School of Medicine, Chipotle and the UK National Health Service (NHS). All of these have been the impact of negligent insiders. Let's explore how they happened.

Washington University School of Medicine

On December 2, 2016, an employee at the Washington University School of Medicine responded to a legitimate-looking email. By responding to the email, the insider granted access to an external actor to all employee email accounts which existed on an unsecured server and held more than 80,000 accounts of patient data. Some key questions to ask yourself about this scenario are: what training did this employee have about cybersecurity? And why did all employee email accounts have access to patient data?

Chipotle

Chitpotle suffered the same type of cyberattack that Home Depot, Target and Arby’s faced. According to two cybersecurity researchers, the data breach was caused by malware embedded in an email attachment titled: ‘payment overdue.’ The body of the email claims a payment was due to them, although no such liability ever existed. The email stated step-by-step what the receiver had to do in order to see more details and fulfill the payment. The employee followed each instruction because the email seemed legitimate. The instructions were to open up a file in Microsoft Office and accept all the warnings. This allowed malware to infect the computer in Chipotle’s Tulsa, Oklahoma, office.

UK National Health Service: WannaCry

The now infamous story of WannaCry at the UK NHS has become a staple example of how dangerous cyberattacks have become. The incident happened because an employee downloaded an attachment from an email which then spread across the network thanks to an exploit in Windows XP systems. The rest is recent history. The NHS case demonstrates how damaging negligent insiders paired with ransomware can be.

Lines of Defense

So far, 2017 has been a scary year for cybersecurity. The cases above demonstrate how easy it is to bypass security when you have negligent insiders. So what can you do as a line of defense against this? To start, many experts agree that security is more than technology alone, and that it needs to work with policy enforcement and employee security awareness. When setting up security, be sure to include systems for identification, monitoring, encryption, restricting, training and extension.

1. Identification deals with identifying all devices that can access your network or data. Often, security software does an excellent job of protecting your network. However, with mobile devices everywhere, employees are often logging into your network from unsecure devices that can reveal sensitive information to cyber criminals.
2. Monitoring is one of the most important procedures a company can have in place. Data gathered from device usage, applications, emails and log data can produce comprehensive behavioral insights and provide an analysis of an employee’s productivity. Monitoring is the prerequisite to automated security response. This goes a step beyond just alerting.
3. Encryption at rest and encryption in transit are very important to protecting your organization’s data. Encryption should apply to any devices that connect in to your network. This helps provide physical security in case laptops or phones are stolen. The data that is encrypted will be protected.
4. Security Training for your employees is a must in today’s world and one of the strongest ways to deter insider threats. Employee training should help them understand the threats they may be exposed to in the process of their everyday jobs. This means it needs to be tailored to your organization’s specific context. Security training can go one step beyond and discuss the impacts that data has on the overall company.
5. The principle of least privilege, is a restricting procedure which limits an employee’s access and privileges to only job-related data. This principle helps to deter malicious actors and prevent negligent use of company information.
6. The final line of defense is extending your security practices with any strategic partners and vendors who have access to your network. This is critical now as the data breach at Target demonstrated. The only thing a cyber criminal needs is someone connected to a network, and it doesn’t always have to be an employee. Engage with all stakeholders who are connected to you for another layer of security.

Best Practices

Below you will find some best practices recommended from the CERT Division at Carnegie Mellon. There is no silver bullet to stop insider threats, however, you can reduce your chances of falling victim to a breach if you start with the following security management practices.

Create an Insider Threat Program

An insider threat program is a company-wide effort that is comprised of a multi-disciplinary team. This team usually includes, at minimum, the IT director and HR director. Each team member should receive specialized insider awareness training. The programs are intended to detect, prevent and respond to insider incidents. Establishing an insider threat program would bring departments together to create a shared understanding of insider threat and form coordinated processes to counter it.

Anticipate Negative Incidents in the Work Environment

Healthy work environments are known to be great for productivity, but did you know it also helps to mitigate insider threat as well? As the leader of your organization, your role here is to establish a foundation of good relations between your employees and their managers. People in your company can become a threat if certain stresses and resentment develop in their lives. Such stresses can include personal financial issues, toxic work environment, or process frustration. Being proactive and checking in on your employees about their work performance, health and well-being will be rewarded with more loyalty in the long-run.

Access Management

When business owners implement new systems for employees to use, they often do not take enough time to implement the principle of least privilege. Threats from within increase as access to everything is left open for employees. Disgruntled employees have free range to sabotage operations before they leave. It is important to conduct periodic reviews to ensure each role has the minimum amount of privilege necessary to perform their job. When there is a negative incident, be very vigilant of attempted breaches and unusual user behavior.

As the actual threat of insider threats continues to be ever present in the lives of business owners and managers, the need for sound security grows. Being caught off-guard can lead to halted operations, brand reputation loss and direct financial loss. You do not want to be in this position, so the best thing to do now is invest in insider threats prevention. Together, with thousands of other businesses out there, you can help be part of a safer cyber environment.