Companies spend countless dollars and man hours trying to keep outside attackers from breaching their systems, but what about attacks that come from the inside? Insider attacks are on the rise, and they can be even more dangerous because insiders typically know where an organization’s sensitive data lives and often have elevated levels of access, regardless of whether they have malicious intentions or not. Accidentally or deliberately, insiders can help expose confidential customer information, intellectual property, money and more.
Who are insider attackers?
Insiders are people that are authorized to know sensitive information about the company, said Moty Kanias, VP of cyber strategy and alliances with NanoLock. They could be either workers, managers, third-party contractors, providers or anyone else who has official authority to change or use computer data. But not all attacks are the same.
“It’s very hard to define between an attack and a mistake that a person makes,” Kanias said. “The sad problem is that now we live in a world where everyone can change data on their computers or on their systems, and it does cause a lot of mess sometimes.”
The primary insider attack most people think is with Edward Snowden, who leaked highly classified information from the National Security Agency (NSA) back in 2013. But most insider attacks never reach the public, Kanias said, and are not malicious in nature. It’s important to remember that many insider attacks aren’t traditional “attacks.” They’re well-intentioned employees who make a mistake. Companies are reluctant to disclose employee mistakes if they don’t have to.
So why are insider attacks so dangerous? Inside employees have sensitive information about what their company is and where secrets are kept. They know basic things that an adversary usually doesn’t know, and adversaries are adept at tricking employees into divulging this information.
“With social engineering, which is also a huge thing that is now on the rise, we see adversaries contacting people, insiders, for a bit of information,” Kanias said. “Working hours, maybe names of other people and maybe systems that the company uses, programs and operating systems, and even the specific firewall and what’s possible to do or impossible to do.”
Why are insider attacks on the rise?
When we do hear about insider attacks, it’s usually because of two factors. The first is that sensitive information came out. In some countries, according to the law, once sensitive information is stolen, you must report it to the authorities. The second reason is that something bad happens to the company, such as getting infected with ransomware. In that case, it’s impossible to bury your head in the sand and pretend you don’t have a problem.
The rise of ransomware and social engineering attacks have certainly raised the risk of an insider breach, but organizations are also vulnerable because they often don’t have appropriate cybersecurity protections in place.
“Adversaries usually attack what they can,” Kanias said.
Outdated legacy equipment can be a significant factor, as well. Nowadays, there is a lot of computer equipment that is not supported anymore, which means it’s very easily attacked.
How to remediate insider attacks
There are several steps companies can take to help lessen the risk of insider attacks. The first is to look inside the company and figure out how the network is built. You have to know your system, what you’re connected to and what equipment you use. Companies should also start investing in new world cybersecurity products and adopting strategies like zero trust.
“A lot of people don’t understand what [zero trust] means,” Kanias said. “Basically, from my point of view, it just means taking some of the abilities of every worker to change any parameters that they can and make sure that only authorized people can make changes on your system. So … try to find zero-trust solutions, and make sure you apply them in your organization, educate the workers.”
It’s also essential to teach basic cybersecurity hygiene to employees, so people can recognize a standard phishing email or other targeted attack. It’s not always a malicious employee that allows an intrusion; it’s somebody who clicks on a link they shouldn’t have clicked.
“I think [cyber hygiene] is more important than first aid,” Kanias said. “First aid, you can always call an ambulance, 911. But when you get a cyberattack, there’s no one really you can call, and nobody will be there within five or 10 minutes. You never know how deep an attack can go.”
In a connected world, everybody is at risk. Even if a threat actor doesn’t breach your internal systems, they can still gain access through workers’ personal social media or Wi-Fi on a mobile device in a factory.
“If a manager will just close their eyes and say, ‘Well, cyber can’t reach us,’ they should wake up and understand that we’re all connecting all around,” Kanias said. “It’s just a matter of time until companies will get attacked. It’s not if, it’s only when.”
Watch for Part 2 of our interview with NanoLock’s Moty Kanias in the coming weeks, where he will discuss the impact of Industry 4.0 on cybersecurity. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.