Your worst nightmare; An employee with network access and an ax to grind

The news media focuses on external attacks such as malicious email attachments and ransomware as the only attack vector, but internal threats remain one of the most common cybersecurity issues facing any organization. Learn how to protect your company against all threats, internal and external, to avoid putting your employee’s and customer’s data at risk because you think you know someone.

nightmareThe news media focuses on external attacks such as malicious email attachments and ransomware as the only attack vector, but internal threats remain one of the most common cybersecurity issues facing any organization. The impact of data breaches involving employees can be significant because disgruntled, internal bad actors many times have administrative privileges to systems and data that others cannot access. The door is wide open for them to launch an attack and hold any organization hostage.

According to a 2017 Verizon report, 25 percent of data breaches last year were carried out by insiders. Most companies spend significantly more time and resources working to prevent external threats, which is important and cannot be ignored, but companies who ignore the potential damage from insiders do so at their own peril. Because, while internal threats can be difficult to detect, they can cause more lasting and significant harm.

Motivation for Attacks

There are lots of motivations for attacks by insiders, not surprisingly greed and revenge are the most common. Greed is easy to understand, but hard to predict. Employees may want to gain a financial advantage by stealing and selling corporate intellectual property, by committing fraud, or identity theft. It is often difficult or impossible to predict which employees are susceptible to temptation. In one case, an Expedia employee was hacking into executive laptops to steal corporate financial information and was making stock market trades based on that insider information. That hack went on for 3 years before the perpetrator was caught and sentenced to 15 months in prison.

The other motivation is revenge. When people feel threatened, they can make some poor and dangerous decisions. One example is where a network engineer at West Virginia's energy company EnerVest committed data sabotage after learning he was going to be terminated. CIO wrote in 2014, that he reset all network servers to factory default settings and disconnected remote backups. The perpetrator was caught and faced criminal prosecution, but the damage to the company resulted in EnerVest being unable to conduct operations for 30 days, that cost in excess of $1 million.How do you protect yourself against an attack from within your company:

  1. Know who you are hiring: When you are hiring for positions that will have access to sensitive information and systems, it is really important to know their background. It is well worth the time, and expense, to do a full background check and to check as many references as possible.
  2. Institute a Peer Review System: Any sensitive or destructive action should require 2 complicit people to complete, cutting down on the lone wolf attacks. Sys Admins should work in pairs to review each other’s work and approve each other’s actions. Things like deleting servers, removing backups, or deleting log files should require two approvals.  This might seem threatening to some, but a good engineer will understand that this is for the good of the company, and will have nothing to hide. If they don’t understand the value of this, see recommendation #1.
  3. Monitor your systems:  Put into place access control systems that will log changes and alert multiple staff members when unusual activity is occurring. Modern alerting systems have built in Artificial Intelligence to better recognize attacks that are designed to be concealed.
  4. Maintain tight control on passwords: There is a critical balance to ensure that your IT people have the needed powers to get their jobs done while also setting limits to their overall control over the systems. It is also important to NEVER have any shared passwords. Shared passwords make it impossible to track who is using the account and making changes. Finally, create a super admin account for a very small number of highly trusted executives so that they can back out any changes or damages a hacker might cause.
  5. Never allow an employee with elevated access to continue work after being let go. You should have a process in place to swiftly lock out an employee. This may seem cold, but it is critical. In 2008, a Fannie Mae employee was told in the morning that he would be let go at the end of the day. That employee spent the rest of the day sabotaging the network and deleting valuable company data. 

For many people, the workplace is a 2nd home, and the people we work with are often like family, so it is hard to imagine senior level employees committing these types of acts. However, it is hard to know what people are going through outside of work, and what kind of personal problems they may be facing. If you do not protect your company against all threats, internal and external, you are putting all your employee’s and customer’s data at risk because you think you know someone.