A receptionist at a large, international charity received an email from a supplier who seemed familiar to her.
Attached was a legitimate-looking invoice, which she opened without suspicion.
Unbeknownst to her, the PDF file went on to infect the network with “ransomware”, a programme that blocks all access to the system until a sum of money is paid.
The April incident threatened the entire non-profit organisation’s functionality, as the ransomware was also designed to read and encrypt internal files.
Forged emails like these are one type of sophisticated phishing attack by cyber-criminals who are able to mimic the writing styles of people an employee knows, thus encouraging them to open attachments or click on malicious links.
“Even the best-trained employees are vulnerable to these forms of socially engineered attacks,” reads a report by online security firm Darktrace, which helped the charity in the aftermath of the attack.
Darktrace was able to flag the receptionist’s computer for anomalous behaviour when it contacted a Ukrainian server to download the strange file, and the company quickly contacted the charity to take the infected computer offline.
Such cases of insider threats – where an employee’s action exposes the company to cyber-attacks – have unfortunately become the rule in organisations today, rather than the exception.
Given the increasingly complex security landscape and growing sophistication of cyber-criminals, traditional perimeter defences are no longer enough to protect a network.
Companies now need to look inward as well, and strengthen their defences against insider threats.
Eric Meyer, CEO of Apvera, which offers a cyber threat intelligence platform, says more and more cyber-security breaches these days have been proven to be employee-related.
“People are not just a company’s greatest asset but also their biggest vulnerability,” he says.
Within the firewall
Last year, large global companies including JP Morgan Chase, T-Mobile and Sony were hit by massive data breaches originating from within the organisations themselves.
Most security tools today focus on identifying malware-initiated attacks, but insider breaches are committed by employees with valid data access privileges.
“Insiders already have access to your network, understand security protocols, and have permissions to access sensitive data,” says Meyer.
Tiffany See, Vice President of HR, Commercial Sales, for Asia-Pacific at data storage provider Dell EMC, says even when companies have the latest security controls and software, there are still risks. “All it takes it just one click from an uninformed employee to give access to threat actors and circumvent the technologies,” she says.
Vital to addressing such risks is to proactively monitor user activity and flag alerts for unusual behaviour.
One major insider threat comes from the Bring Your Own Device (BYOD) policies that many organisations have in place, allowing staff to use their own smartphones, tablets and laptops at work.
This combines dangerously with a laissez-faire attitude that many staff have toward cyber-security in their personal lives.
In a Singapore poll, digital security company Gemalto found that employees across the country look for the quickest and easiest way to do things online – even if it puts systems at risk.
“Out of 76% (of 500 respondents) who use personal devices to access work emails, only half were required by their company to implement security measures such as regularly changing passwords,” says Yeo Eng Sheng, Gemalto’s HR Director for Southeast Asia, Oceania, and Japan.
More than 45% of respondents had also downloaded an unverified app onto a work device, with one-third doing so without the knowledge of their IT department.
In addition, almost half of Singapore workers had not gone through any security training in the workplace.
New types of attacks are also catching staff, and their employers, unawares.
Due to the growing Internet of Things movement, non-traditional technologies – anything from connected coffee machines and printers, to air-conditioning and biometric sensors – are now also being exploited by cyber-criminals. They are able to jump into corporate networks unobserved via these otherwise typical devices.
“Most organisations do not recognise the true breadth of their digital businesses,” Sanjay Aurora, Managing Director for Asia-Pacific at Darktrace says. “The number of connected devices on their networks is often grossly underestimated.”
HR and IT: A dynamic duo
While insider threats cannot be completely removed, effective employee management can curtail much of the risk.
HR hence needs to partner with both senior management and the IT department to prevent human vulnerabilities from being exploited.
“Nobody can constantly watch what employees are doing – unless you use a technology to help you detect, analyse, and engage possible threats,” says Meyer.
For India-headquartered telecommunications solutions provider Tata Communications, HR practitioners play a role in building a sustainable security culture.
This starts right from the recruitment process.
“A thorough background check helps eliminate prospective threats right at the start,” says Aadesh Goyal, Global Head of HR.
The learning and training team also puts all employees through mandatory online and on-ground training programmes in information security, Goyal says. HR’s role at the company also extends to investigating potential internal threats and reporting to the IT and legal departments.
Dutch firm Gemalto, which employs 1,400 people in Singapore, is also concerned about internal threats. Its online security team joins forces with HR to ensure employees are aware of the threats and take preventive steps to minimise the company’s exposure to them.
“Our HR is also part of the investigation team for suspected or actual breaches, and metes out disciplinary actions,” says Yeo.
Gemalto staff wear badges engraved with a set of eight cyber-security tips, for them to refer to when unsure about best practices. All employees are also required to attend annual updated security briefings and take online quizzes.
Comprehensive security briefings are conducted for new Gemalto hires during their orientation.
“Here, HR plays the important role of an educator and enforcer, by dispensing security guidelines, teaching secure practices to employees, identifying security gaps, and monitoring suspicious behaviours,” Yeo says.
Similarly, at Dell EMC, the HR team works with the cyber-security team to educate and train all employees.
This includes compulsory training sessions to build awareness, and formal procedures for reporting suspicious activity.
These measures complement the security systems that help prevent third-party intrusions and inadvertent unauthorised access to sensitive information.
“We collaborate to transform our people from security liabilities, into security assets,” says See.
Specifically, team members must complete an online training module about privacy and data protection awareness every year
“Training users and raising awareness of risks is the low-hanging fruit in shoring up an organisation’s security posture,” See says.
See’s HR team also works with the IT department to make sure both sides stay up to date on the latest scams and vulnerabilities. When IT detects unusual employee behaviour, it can work with HR to understand the issue, update training, and look for tools that can help mitigate any risks.
“Collaboration is essential. Approaching security in silos will mean vital information is not shared, making the organisation vulnerable,” See says.
Dell’s HR also uses innovative learning approaches, such as gamification. See says this improves information retention and keeps employees interested in the training.
Likewise, security intelligence and analytics firm LogRhythm also offers a fresh, “fun” take on its security awareness programmes, according to its Chief Information Security Officer James Carder.
The company uses a combination of humorous training videos, quizzes, and real-world exercises for its employees.
“We drop USB drives containing malicious code all over campus (the company’s office complex), and the code lets us know if you plug it in and if you click on any of the malicious code we installed,” says Carder.
LogRhythm has also faked a wireless access point with the same name as a local hotel chain, to see if employees would connect to it and submit their username and password as credentials.
“Our elaborate exercises are starting to get famous,” Carder says. “No one at LogRhythm will plug in a USB drive they don’t recognise, they’ll triple check and often won’t connect to guest wireless networks, and they definitely won’t be fooled by fake phishing emails.”
Getting it wrong
However, despite the prevalence of high-profile breaches in recent years, some organisations still believe they will never be hacked.
“Any company is fair game,” says See from Dell EMC.
Other mistakes in managing cyber-security include: allowing employees to share passwords, thinking IT professionals are necessarily also cyber-security professionals, and not testing employee behaviour.
At times, companies also ignore “shadow IT”, or devices and software that the IT department does not manage because they are brought in by staff under BYOD policies or to help them with their work, See says.
Many employers do not understand what goes into effective cyber-security programmes, the experts HRM Asia spoke with confirmed.
Most enterprises spend a majority of their security budget on prevention measures – such as firewalls, strong user authentication, intrusion prevention, and antivirus systems, says Meyer from Apvera.
But successful hackers have long-since figured out how to beat these systems.
Compounding the challenge is the possibility of “artificial intelligence attacks” in the future, cautions Darktrace’s Aurora.
These imitate network users and blend easily into the “noise” of a busy network.
“To combat new threats, organisations need a new security model, one that can anticipate and respond immediately to any type of threat,” Meyer says.
The surge in insider threats and escalating costs of breaches have forced C-suite leaders and HR to recognise cyber-security as part of an organisation’s broader risk management framework.
Buy-in from senior management is vital. Security best practices are more likely to be implemented and consistently followed in a company with a high level of board engagement on the issue.
“Our leadership considers cyber-security as a business priority, instead of limiting it to the IT department,” says Goyal.
LogRhythm’s Carder points out that in cyber-security, HR and IT are not the only ones who need to work together.
“Every department needs to move in the same direction and be diligent in ensuring they minimise exposure to security risks and threats,” he says.
A comprehensive cyber-security strategy should include threat detection and response; governance risk and compliance; identity and access management; fraud prevention; and education and training, says See from Dell EMC.
“It’s important to give employees the access they need to do their job without putting the organisation through more risk,” she adds.
What are insider threats?
Employee-related cyber-security vulnerabilities can come in two forms. The first is when disaffected staff members deliberately try to sabotage the organisation. Seeing as HR is responsible for understanding employee behaviour, it is typically best placed to spot the early warning signs of disloyalty.
Insider threat also occurs when well-intentioned employees make an honest mistake, such as accidentally sharing classified information on social media. In these cases, HR can make sure employees are regularly educated.
James Carder, Chief Information Security Officer at LogRhythm, says the biggest challenge usually lies in identifying insider threat.
“Hackers don’t just sit in front of a computer to break into your system; they try to blend into your environment and pose as a regular employee,” he says.
“If you don’t understand the behaviours of your business and your employees, it is very difficult, if not impossible, to detect an insider threat.”