The traditional security paradigm focuses on securing against external attacks. Organisations fear cybercriminals, DDOS attacks and the new generation of teenage bedroom hackers. Despite all of these being credible threats, focusing too much on outsider threats often sees many businesses neglect internal risks.
According to research conducted by PWC alongside the Department for Business Innovation and Skills, 58% of large organisations suffered staff-related security breaches in 2014, compared to just 24% detecting outsiders penetrating their networks.
The external threat is credible, but it’s not the only thing organisations should be worried about. A stronger firewall won’t stop someone with access to sensitive information stealing it from the inside.
The last year has seen a series of high profile data hacks. This time last year it was iCloud and a mix of celebrities who were the victims, then came JPMorgan Chase, Sony Pictures, the infamous Ashley Madison, and more recently Carphone Warehouse and TalkTalk.
>See also: Twelve tips to combat insider threats
Of all of these, TalkTalk is still being investigated, and Sony and the celebrities exposed via iCloud are arguably the only ones able to prove that no insider had a part to play in the breaches.
Ashley Madison openly admitted an insider that had too much access privilege had stolen its data. CEO Noel Biderman even went as far as to state: "It was definitely a person here that was not an employee but certainly had touched our technical services."
Biderman summed up the company's failure himself, so if that person isn’t an employee, why did they have access to the data of an alleged 37 million users?
Security spend
There has been a marked rise in recent years in the amount organisations are spending on security. PWC and BIS research revealed 15% of small-to-medium-sized businesses spend over 25% of their total IT budgets on security.
Considering the importance of IT in the modern business environment, a quarter is a large proportion of budget to be spending in a single area. It is especially worrying if the money spent isn’t actually providing full security by protecting against internal and external threats. IT budgets typically need to be spread across software, hardware, network management and data storage as well.
IT managers rightly tend to spend the greatest amount of money in areas they are most concerned about protecting, but internal protections do not feature high enough on the agenda.
Research by HP revealed 71% are very concerned with external threats, but only 46% indicated a strong concern for internal threats. This figure is particularly concerning as the vast majority of organisations (58%) admitted to suffering staff-related security breaches in 2014.
Least privilege
The key to securing against internal breaches is access management. As the Ashley Madison breach demonstrated, failing to control who is looking at what can have catastrophic consequences. Businesses must quantify risk, and ensure no employee has more access than required to complete their day-to-day role.
Enforcing the ‘principle of least privilege’ is a good first step. Number six on the government’s ten steps to cyber security states, “All users of your ICT systems should only be provided with the user privileges that they need to do their job.” In cases where staff will be dealing with sensitive information, monitoring user activity is a must.
For larger organisations with modern technology, enforcing the principle of privilege without the right tools is not easy. Technology is more complex than ever before, and everyone needs access to something.
Knowing who has access to sensitive information is almost impossible to determine in a large organisation without proper tools. Conducting proper access reviews without assistance is next to impossible for people trying to complete a regular day-to-day job at the same time.
>See also: Why insider threats are still succeeding
Introducing the right technology using data and predictive analytics to highlight problems, and report on potential threats, can reduce time taken reviewing access rights by as much as 90%.
Ultimately, if organisations continue to fail to invest in this space, they’ll just see more data breaches. Is it worth the risk allowing someone access to sensitive information they don’t need?
Internal threats exist, yet still more is being spent in protecting against external cybercriminals.
Organisations need to take a reality check, look at how others are being breached and understand the importance of a balanced approach to IT security that guards against all potential hazards.
Sourced from Mark Rodbert, CEO of idax