A receptionist at a large
A receptionist at a large, international charity received an email from a supplier who seemed familiar to her.
Attached was a legitimate-looking invoice, which she opened without suspicion.
Unbeknownst to her, the PDF file went on to infect the network with “ransomware”, a programme that blocks all access to the system until a sum of money is paid.
The April incident threatened the entire non-profit organisation’s functionality, as the ransomware was also designed to read and encrypt internal files.
Forged emails like these are one type of sophisticated phishing attack by cyber-criminals who are able to mimic the writing styles of people an employee knows, thus encouraging them to open attachments or click on malicious links.
“Even the best-trained employees are vulnerable to these forms of socially engineered attacks,” reads a report by online security firm Darktrace, which helped the charity in the aftermath of the attack.
Darktrace was able to flag the receptionist’s computer for anomalous behaviour when it contacted a Ukrainian server to download the strange file, and the company quickly contacted the charity to take the infected computer offline.
Such cases of insider threats – where an employee’s action exposes the company to cyber-attacks – have unfortunately become the rule in organisations today, rather than the exception.
Given the increasingly complex security landscape and growing sophistication of cyber-criminals, traditional perimeter defences are no longer enough to protect a network.
Companies now need to look inward as well, and strengthen their defences against insider threats.
Eric Meyer, CEO of Apvera, which offers a cyber threat intelligence platform, says more and more cyber-security breaches these days have been proven to be employee-related.
“People are not just a company’s greatest asset but also their biggest vulnerability,” he says.
Within the firewall
Last year, large global companies including JP Morgan Chase, T-Mobile and Sony were hit by massive data breaches originating from within the organisations themselves.
Most security tools today focus on identifying malware-initiated attacks, but insider breaches are committed by employees with valid data access privileges.
“Insiders already have access to your network, understand security protocols, and have permissions to access sensitive data,” says Meyer.
Tiffany See, Vice President of HR, Commercial Sales, for Asia-Pacific at data storage provider Dell EMC, says even when companies have the latest security controls and software, there are still risks. “All it takes it just one click from an uninformed employee to give access to threat actors and circumvent the technologies,” she says.
Vital to addressing such risks is to proactively monitor user activity and flag alerts for unusual behaviour.
One major insider threat comes from the Bring Your Own Device (BYOD) policies that many organisations have in place, allowing staff to use their own smartphones, tablets and laptops at work.
This combines dangerously with a laissez-faire attitude that many staff have toward cyber-security in their personal lives.
In a Singapore poll, digital security company Gemalto found that employees across the country look for the quickest and easiest way to do things online – even if it puts systems at risk.
“Out of 76% (of 500 respondents) who use personal devices to access work emails, only half were required by their company to implement security measures such as regularly changing passwords,” says Yeo Eng Sheng, Gemalto’s HR Director for Southeast Asia, Oceania, and Japan.
More than 45% of respondents had also downloaded an unverified app onto a work device, with one-third doing so without the knowledge of their IT department.
In addition, almost half of Singapore workers had not gone through any security training in the workplace.
New types of attacks are also catching staff, and their employers, unawares.
HR and IT: A dynamic duo
While insider threats cannot be completely removed, effective employee management can curtail much of the risk.
HR hence needs to partner with both senior management and the IT department to prevent human vulnerabilities from being exploited.
“Nobody can constantly watch what employees are doing – unless you use a technology to help you detect, analyse, and engage possible threats,” says Meyer.
For India-headquartered telecommunications solutions provider Tata Communications, HR practitioners play a role in building a sustainable security culture.
This starts right from the recruitment process.
“A thorough background check helps eliminate prospective threats right at the start,” says Aadesh Goyal, Global Head of HR.
The learning and training team also puts all employees through mandatory online and on-ground training programmes in information security, Goyal says. HR’s role at the company also extends to investigating potential internal threats and reporting to the IT and legal departments.
Dutch firm Gemalto, which employs 1,400 people in Singapore, is also concerned about internal threats. Its online security team joins forces with HR to ensure employees are aware of the threats and take preventive steps to minimise the company’s exposure to them.