Category: Article

Categories
Article

Trust Thy Co-Worker

Trust Thy Co-Worker

Our everyday life is much stranger than we imagine and rests on fragile foundations

– Paul Seabright, a professor of economics at the University of Toulouse

Yes, we have grown up with such sayings. But how well do they participate in today’s life and, more importantly, trust our colleagues within our corporation?

Never mind loving our neighbour; many of us don’t even know who they are or who lives next door.

And while we might cherish the idea of living in a warm and welcoming community, it seems that we have a hard time going out of our way for strangers when it comes down to it.

Trust in society has been identified as very beneficial. However, trust is also very susceptible.

In an article titled “Trust Thy Neighbour: Exploring Information Sharing in Anonymous Urban Settings to Support Trust Generation(Peter Conradie, Stephanie Neumann and Jonas Breme article), they state there are two types of support trust:

  1. The first type of trust is built on social identification and external information that aids risk assessment. Familiarity based trust forms as a result of prolonged interaction with others. This type of trust is built through the identification of group similarities. It leads to higher trust between group members.
  2. The second is built on strategic trust, which is based on a calculation of outcomes. Establishing this type of trust depends on referring to past experiences or getting references from others who have already performed similar transactions.

One might think a person is sincere and honest, but you won’t trust them if they can’t get results. This is typically typified by politicians (familiarity). They have an abundance of intent but rarely do they deliver results (strategic).

Politicians rarely “walk their talk”, as the saying goes.

Information technology provides examples of these two types of trust.

For example, eBay ratings are an example of strategic trust being supported through a reputation system. Buyers are given information about sellers to make a strategic assessment of their trustworthiness.

Familiarity based trust generation can be illustrated by users recommending or presenting books and films.

This leads me to the following…What is an organisation?

An organisation is a “social invention” for accomplishing shared goals.

As such, organisations have people who present both opportunities and challenges.

Let me ask you a question…do you trust your boss? Whether or not you trust your boss and management probably has a lot to do with how much you perceive they support you?

But does trusting your boss leave you vulnerable?

Here is an example of where trust was misused and exploited.

Example: Enron Scandal. The Fall of a Wall Street Darling

What happened?

The collapse of Enron, which held more than $60 billion in assets, involved one of the most prominent bankruptcy filings in the history of the United States.

The Enron scandal, revealed in October 2001, eventually led to the bankruptcy of the Enron Corporation. It came about because Enron executives, with the use of accounting loopholes, special purpose entities, and poor financial reporting, were able to hide billions of dollars in debt from failed deals and projects.

The key takeaways for this scandal

  • Enron’s leadership fooled regulators.
  • Enron engaged in fraudulent accounting practices to inflate profits
  • Enron had a toxic culture and suffered from poor leadership.
  • A win at all cost mentality encouraged a culture of unethical and illegal practices

Let me ask you another question… how much do you trust your co-workers or employees?

Would you bet $400,000 on that?

Example: An New Zealand Employee Stole $400,000

What happened?

In a true story, a former employee at a bank in Queenstown, New Zealand, was convicted and imprisoned after being found guilty of stealing more than $400,000 from her then-employer.

Investigators found that she began committing her inside attack against the bank in 2010 and continued until 2013.

Creating sixteen fictional accounts with loans and overdrafts ranging from $12,000 to $120,000.

Altogether, the amount totalled $402,386.

How was she able to steal such a large amount over such a long period without being noticed?

Simply because the bank trusted her implicitly. It was built on:

  1. Familiarity trust – Working with her over time builds trust with her colleagues so they never suspect her deception. And
  2. Strategic trust – She was capable of delivering work outcomes that increased the bank’s trust level.

It seems astounding that an insider breach could go completely undetected by bank authorities and team members at such a scope over an extended period.

Human behaviour risk is one of the least understood and most uncomfortable security issues facing companies today. Yet, 85% of breaches involve the human element, according to the 2021 Verizon Data Breach Investigation Report.

Something to Think About

An organisation should be able to trust its employees. Yet, your most authorised and trusted employees are the ones with the most opportunity to steal.

And detecting a breach of trust is difficult and challenging.

Here’s something to think about…

How are you assessing and verifying your insider trust?

Are you trusting by default?

How do your colleagues and co-workers help in detecting and deterring insider risk?

Categories
Article

Snapshot Of Insider Threats Within Government

Snapshot Of Insider Threats Within Government

“Our problems are man-made. Therefore, they may be solved by man. And man can be a big as he wants. No problem of human destiny is beyond man.”

 – John F. Kennedy

As we know, Insider Threat affects both the public and private organisations.

Insider threats are one of the biggest security challenges that Government face.

The sheer complexity of Government infrastructure and the critical and sensitive value of the information Government possess makes it easy for a clumsy or a malicious insider to compromise security and potentially cause severe damage.

Some of the most significant insider threat incidents took place within Government.

  • Classified documents from Britain’s Defence Ministry containing details about a British warship and Russia’s potential reaction found in a soggy heap at a bus stop (2021)
  • A former intelligence analyst for the US Federal Bureau of Investigation (FBI) has been indicted for stealing confidential files over 13 years (2021). Classified material included documents relating to cybersecurity threats, terrorism, intelligence bulletins, open FBI investigations, human operations, and files describing the “technical capabilities of the FBI against counterintelligence and counterterrorism targets.”
  • Ex NSA worker (Harold Martin III) was charged in august 2016 for stealing 50 terabytes worth of data during two decades.
  • Office of Personnel Management (OPM) breach in June 2015 compromised 21.5 million Government records.
  • In Australia, in 2014–15 an Australian Bureau of Statistics (ABS) officer working at the Bureau’s Canberra headquarters was convicted of offences relating to the unauthorised disclosure of sensitive statistical information. Over nine months, the ABS officer provided an acquaintance in the banking industry with unpublished market-sensitive economic data, which netted approximately $7 million in illegal foreign exchange trades.
  • Edward Snowden, a former contractor for the CIA, was charged in June 2013 by the US Department of Justice with two counts of violating the Espionage Act of 1917 and theft of Government property. It was estimated that he had copied, stolen, or downloaded around 1.7 million NSA documents, according to the Department of Defense.
  • Chelsea Elizabeth Manning (Bradley Edwards Manning) in 2009 and 2010 leaked hundreds of thousands of documents, many of them classified—to WikiLeaks. As a result, she was charged with 22 offences, including aiding the enemy.

The CERT Insider Threat Centre (NITC) contains over 1,500 insider threat incidents used as a foundation for their empirical research and analysis.

Overview of Insider Threats within Federal Government

In total, CERT identified 77 non-espionage insider incidents where a Government agency was both the victim organisation and the direct employer. However, there were 34 additional incidents where an insider incident impacted an agency at another organisation.

By and large, these were incidents where a federal government organisation had employed a consultant or contractor.

The number one most observed Insider Threat incident with Federal Government was Fraud, followed by “Other Misuse”.

Insiders have a significant advantage over external attackers. This is because not only they are aware of the organisation policies, procedures and technology, but they are also often aware of the vulnerabilities.

Insider incidents are inevitable, and at some point, your organisation is likely to be compromised.

While this is unfortunate, it is a reality that must be proactively prepared for if your organisation is to withstand such threats.

Remember, there is no silver bullet in preventing insider threats. Having too many security restrictions can impede an organisation mission, and having too few may permit a security breach.

Fraud Snapshot Analysis

Around 61% of incidents impacting federal organisations involved Fraud. It included issues of fraud, waste, and mismanagement of federal funds.

  • Who?
    • 45.8% of insiders were worked with the organisation for five years or more
    • 69.4% of insiders had an authorised account, and data
    • 89.5% were full-time employees.
  • What?
    • 52.2% of the targets in Fraud incidents were related to personally identifiable information.
  • When?
    • For incidents where the attack was known (27), all involved during business hours. Half of these also involved activity outside work hours. No fraud activities were determined that only took place outside of work hours.
  • Where?
    • Around 97.6% of incidents took place on-site when attack location was known (41);
  • Why?
    • Around 97.8% committed insider Fraud because their motivation was financial gain.

As mentioned, the second most observed Insider Threat incident with Federal Government was “Other Misuse”.

Other Misuse by insiders can be described as those incidents that involve the unauthorised use of organisational devices, networks, and resources that are not better classified as Theft of IP, IT Sabotage, or Fraud.

Examples of Other Misuse include the use of organisational resources for personal benefit (e.g. obtaining access to colleagues’ emails without consent or a proper business purpose) or committing another kind of cyber-related crime (e.g. stalking or purchasing drugs), which in turn violate organisational policies.

Further Analysis

Insiders committing Fraud in Government tended to be in trusted positions and committed the incident during working hours.

The median financial impact was between $75,712 and $317,551, and three fraud incidents had a financial impact greater than $1 million or more.

Final Thoughts

Insiders who commit fraud are usually low-level employees who use authorised access during regular business hours to either steal information or modify information for financial gain. Insider fraud crimes are often long and ongoing and are bad news for the actual organisation.

Stolen information is usually Personable Identifiable Information (PII) such as payroll or other sensitive information, which is then sold to outsiders who commit the actual fraud against the organisation.

Perhaps the most notable feature of insider incidents within the Government was how prevalent incidents of Other Misuse. It is most likely that insiders that committed Other Misuse generally did so in furtherance of an additional crime.

Suggested Mitigation Strategies

  • Mitigation protection for fraud-related crimes starts with better screening and identification of employees at hiring.
  • Some insiders accumulate excessive privileges that enable them to carry out their crimes. It is therefore essential that you carefully control and audit roles.
  • If possible, enforce separation of duties with all of your critical processes.
  • A monitoring strategy for fraud should include monitoring access and data modification. May also include frequent random auditing on critical information fields.
  • Utilise user activity monitoring solutions to identify user activities that can be used to detect fraudulent activities.
  • Encourage employees to recognise and report suspicious behaviour, including outside facilitation.
  • Develop an employee assistance program that includes financial counselling.

 Need Help?

Are you experiencing an insider threat situation right now and not sure how to address it?

Are you interested in standing up an insider threat program?

If so, here is a simple two-step process for you to follow:

  1. Download the following article – “How To Develop An Insider Risk Mitigation Program In 7 Steps” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy
  2. Please schedule a time to discuss your requirement.
    1. You can either call us on +61 2 6282 5554 or alternately or
    2. visit the Naked Insider website nakedinsider.comand leave your details so that we can follow up with you afterwards.
Categories
Article

The Role Of The CFO In Insider Threat Mitigation

The Role Of The CFO In Insider Threat Mitigation

“If the only tool you have is a hammer, then every problem looks like a nail!”
– Abraham Maslow

Insider threat is not always at the forefront of focus in many organisations.

There is always a consistent flow of news about companies getting attacked from the outside.

However, insider incidents do not usually get reported unless privacy law-regulated data is impacted.

The perception that “it won’t happen to us” is a common stance for leaders that don’t yet know they have faced an insider issue.

Insider threats are an intriguing and complex challenge. Some assert that it is the most significant threat facing the organisation today.

Unfortunately, insider threats cannot be mitigated solely through technology solutions.

There is no “silver bullet” for stopping insider threat.

We need to remember that insiders go to work every day and bypass digital and physical security measures.

They have legitimate and authorised access to your most confidential, valuable and sensitive information and other assets.

You have to trust them. It is not practical to watch each of your employees every move.

What threats do insider pose to organisation assets?
Let’s look at the types of insider threats that can negatively affect the organisation.

  • A malicious disgruntled employee intentionally places malware within the organisation to cause significant disruption and harm.
  • A malicious and trusted third-party insider steals intellectual property to sell the information to a foreign state.
  • An executive administrator creates a fictitious company and funnels selective projects and money to their company.
  • An unintentional insider makes an error, disregards policies or falls prey to an external attacker.

Here are two examples

  1. The August 2020 example of Tesla’s insider threat near-miss – A Russian actor attempted to hold automaker Tesla ransom by launching a devastating cyber-attackfrom inside their network. The purpose of the conspiracy was to recruit an employee of a company to sneakily transmit malware provided by the co-conspirators into the company’s computer system, exfiltrate data from the company’s network, and threaten to disclose the data online unless the company paid the co-conspirators’ ransom demand.”
  2. The Chief of Staff at The Australian National Bank pocketed $5.5 million in bribes – Rosemary Rogers, 45, worked at NAB for more than two decades, including nine years as chief of staff to CEOs Andrew Thorburn and Cameron Clyne. Investigators found that Rogers had approved inflated invoices by Human Group (her co-accused) for NAB’s event and function services over four years. She was simply motivated by greed, personal gain and self-gratification.

 

The CFO’s Role

Most CFOs understand that they need to play an active role in cybersecurity and insider threat management.

Still, many lack a complete understanding of the threats they face and the strategy to mitigate those threats effectively.

CFOs are called to adopt a dual role as they take the lead in navigating their organisation’s digital transformation journey.

They are not only at the forefront of driving strategic performance but are concerned with managing financial risk.

The role of the CFO is to oversee and manage some of the most critically sensitive and increasingly sought-after assets held within the organisation.

In short, CFOs are tasked with providing leadership and oversight, but they also create focus and define priorities.

Not only can they keep security a top concern in the C-suite, but their interaction with every department within an organisation puts them in a unique position to help ensure compliance efforts and deploy the necessary controls to defend the business against internal, external attacks.

 

The Cost Of An Insider Incident

The 2020 Cost of Insider Threats Global Report study from Ponemon Institute reveals a worrying trend in the rise of insider threats that could cripple organisations’ infrastructures.

In just two years, the number of insider threats has increased 47%, from 3,200 in 2018 to 4,716 in 2020. At the same time, the cost of these incidents has surged 31%, from $8.76 million in 2018 to $11.45 million in 2020.

To understand the full potential impact on your organisation, I have listed six types of implications that may bear against your organisation.

  1. Operational impact – Describes the result of an attack or a breach that disrupts the way your business operates.
    • At the very least, it will take your cyber and information technology people away from their regular tasks.
    • Costs:
      • Loss of productivity
      • Cost of external resources associated with the recovery process.
  1. Personal impact – Describes how a breach impacts your people. It could be emotional harm. It could be an increase in stress and anxiety. It could be an increase in job uncertainty. It could be an increase in loss of productivity.
    • Costs:
      • Cost of counselling people
      • Cost of replacing people
      • Cost of hiring people
  1. Physical impact – Describes the impact of damage to physical devices, systems, equipment, facilities and even buildings.
    • Costs:
      • Costs of repairing damaged hardware
      • Costs of replacing hardware
      • Cost of borrowing or renting physical apparatus
  1. Legal impact – Describes the impact from not being able to fulfil contractual, legal or regulatory obligations.
    • Costs:
      • Costs of penalties associated with contract breach
      • Costs of the penalties related to regulatory breaches
      • Costs of court cases
  1. Reputational impact – Describes the damage and harm to the perception of your organisation brand. Depending on the type of breach, this may also cause direct personal damage to executives and director reputation.
    • Costs:
      • Cost of loss of revenue
      • Cost of PR and communication campaigns
      • Cost of marketing campaigns to help maintain brand perception.
  1. Financial impact – Describes the impact from the breach resulting in loss to revenue and profit.
    • Costs:
      • Cost of loss money stolen
      • Cost of share price fall

It is rare only to suffer one of these types of impact. You will often find that sustaining any one type of breach will result in additional cumulative implications.

For example:

Your organisation sensitive HR data, including their full name, home address, and even their salary, was identified on the news as being exfiltrated and available for sale on the Dark web.

A privacy breach of such magnitude causes your employees to be nervous, anxious, and fearful of possibly being targeted for identity crime. Morale is down, and with uncertainty, several key staff leave the organisation, causing personal impact and loss of productivity. Some staff who are significantly hurt seek legal compensation, causing legal impact.

In the meantime, forensic experts are hired to investigate the cause of the data exfiltration. New hardware and software are procured to bolster the weak defences causing operational impact.

At the same time, the reputation of your organisation takes a hit. Shareholder’s panic, and in a frenzy, share price plummets, causing a financial impact.

While the reputation of the organisation has been battered, three key clients cancel their existing contracts fearing that their data is not safe anymore, causing further reputation damage and financial challenges.

Regardless of which types of impact a breach has occurred on your organisation, one thing is for sure – It will cost your organisation financially.

Every time your organisation deviates from its strategy and dives into tactical measures to recover from a breach, it costs your organisation time and money.

A Balancing Act

Insider threats represent a significant risk for organisations and potential attack vectors for malicious insiders and external adversaries.

Insiders have a significant advantage over external attackers. Not only they are aware of the organisation policies, procedures and technology, but they are also often aware of the vulnerabilities.

Insider incidents are inevitable, and at some point, your organisation is likely to be compromised.

While this is unfortunate, it is a reality that must be proactively prepared for if your organisation is to withstand such threats.

Remember, there is no silver bullet in preventing insider threats. Having too many security restrictions can impede an organisation mission, and having too few may permit a security breach.

As a CFO, what you can do is understand the stakes of this challenge. Take an active role in its management, and if needed, seek counsel and expertise to augment your understanding.

Five Ways CFO’s Can Help Protect Their Organisation From Insider Threats

  1. Stand up an insider risk program

An organisation can significantly reduce its exposure to the problem by building an effective insider risk program and preventing the most damaging insider attacks.

The program must implement a strategy with the right combination of policies, procedures, and technical security controls.

Management from all areas of the organisation, especially at the executive levels (legal, financial, human resource, physical, information technology, information security), must appreciate the scale of the problem and work together to enhance its ability to deter, detect, prevent, disrupt and respond to insider threats.

  1. Consider threats from insiders and business partners in enterprise-wide risk governance.

Most organisations find it impractical to implement 100% protection from every threat to every organisation asset.

Instead, consider expanding security efforts commensurately with the criticality of the information or other asset being protected.

A realistic and achievable security goal is to protect assets deemed critical to the organisation mission from both external and internal threats.

The boundary of the organisation enterprise needs to be drawn broadly enough to include all those that have a privileged understanding of and access to organisation systems and information.

Many organisations focus on protecting their assets from external parties but overlook insiders. CFO’s must recognise the potential danger posed by the knowledge and access of their insiders, and it needs to be included as part of the enterprise risk governance.

  1. Adopt positive incentives to align the workforce with the organisation

Traditional security practices focus on “negative” incentives that attempt to force compliance through constraints, monitoring and punishment.

Yet, insider’s goodwill is essential to both minimising intentional and unintentional insider threats and ensuring organizational success.

Positive incentives can complement traditional practices by encouraging insiders to act in the interest of the organisation.

Instead of just solely focusing on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to their organisation only in positive ways.

  1. Structure management to minimise insider stress and mistakes

Management must understand the psychology of their workforce and the demands placed upon them by leadership.

Human behaviour offers many situations for mistakes to be made, especially by those rushing to complete multiple tasks in high-stress environments.

High levels of stress in the workplace will drive ill will and greater potential for malicious activity.

The push for productivity comes at the cost of both efficiency and security. When people are pushed, they will make more mistakes, feel as if their concerns are not being considered and potentially develop a negative attitude towards management and the organisation.

To reduce the likelihood of malicious and unintentional insider threats, organisation leaders should focus less on top-line productivity and more on achieving productive outcomes and mission-oriented objectives.

  1. Accurately Judge Trust

We tend to think that human behaviour is pretty simple. Even in the most controlled circumstances, identifying how someone will behave in the future is impossible.

Someone who may appear trustworthy may encounter unforeseen life circumstances that may overwhelmingly increase the level of risk. And more importantly, we cannot expect that every person will respond in the same way.

Whether to trust or not to trust, verification is essential.

We conduct background checks on potential employees before hiring them and deciding if we trust them. However, research has shown that insider threat fraud often does not start until after an employee has worked for the company for at least five years.

You must have processes in place to continually re-evaluate that initial judgement of trust.

 Need Help?

Are you experiencing an insider threat situation right now and not sure how to address it?

Are you interested in standing up an insider threat program?

If so, here is simple two-step process for you to follow:

  1. Download the following article – “How To Develop An Insider Risk Mitigation Program In 7 Steps” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy
  2. Please schedule a time to discuss your requirement.
    1. You can either call us on +61 2 6282 5554 or alternately or
    2. visit the Naked Insider website nakedinsider.com and leave your details so that we can follow up with you afterwards.
Categories
Article

Know And Protect Your High-Value Asset From Insider Threats

Know And Protect Your High-Value Asset From Insider Threats

“In Italy, age is an asset.”

-Isa Miranda

Understanding and managing high-value assets has become an essential component of an organisational risk management program.

Identifying and protecting high-value assets plays a critical role across the organisation in allocating the necessary resources to provide the most significant protection and resiliency to the information, technologies, and facilities that matter most to the organisation.

High-value assets are more than just your most valuable line items on your balance sheet.

For example:

A company’s customer enterprise resource planning (ERP) system may be valued on the balance sheet at just $450,000. Yet if that ERP system were unavailable during the trading day, it would halt the business in its tracks.

Moreover, if the contents were stolen or altered, the company would suffer severe reputational damage.

A complete understanding of high-value assets (both logical and physical) is invaluable in defending against cyber and insider attackers who will often target the critical organisation assets.

The next set of data comes from the Insider Threat Division of CERT that contains over 2,000 insider threats incidents used as a foundation for their empirical research and analysis in this article.

The diagram below shows the CERT Insider Threat Incident research dimensions, and it is divided into three segments.

Asset Owner

The asset owner corresponds to the entity responsible for an asset’s management or the subject of the asset.

The most common insider threat case types: fraud, theft of IP, sabotage and multiple. The most prominent victim is the organisation.

Fraud incidents, which make up most of the study incidents, were associated with the most significant number of targeted assets, owned primarily by organisations and secondarily by consumers.

 Asset Type

As seen in the graph below, information is the most commonly targeted asset type across all types of incidents.

Money is targeted exclusively in fraud incidents. Information is the most commonly targeted asset across all incident types.

  • Company funds, part of the “money” asset type, were exclusively targeted in fraud incidents and accounted for 11.9% of all targeted assets.
  • Proprietary information was the most common target of theft-of-IP incidents, but it was also targeted across all case types. Proprietary information accounted for 3.7% of all targeted assets.
  • Product information, classified as intellectual property, was also a common target in thefts of IP. It was also targeted across case types and accounted for 3.7% of all targeted assets.
  • Computer systems were the primary target of IT sabotage incidents, but they were targeted across all case types. Computer systems accounted for 2.5% of all targeted assets.

Classification

The classifications refer to specific kinds of sensitive data.

  • Government-sensitive data: Any data that is not classified but is otherwise sensitive and managed by a government entity.
  • Intellectual property (IP): Can refer to patents, copyright, trademark, etc.
  • Payment card information (PCI): Any account information or other personally identifiable information (PII) associated with a payment transaction or the storage of such data.
  • Protected health information (PHI):Information subject to the protections of the Health Information Portability and Accountability Act (HIPAA)/
  • Personally identifiable information (PII):Information about a person (or persons) that can be used to identify a specific person when used alone or in combination.
  • Non-public:Generally, data involved in insider threat incidents where other classifications do not apply
  • Family Educational Rights and Privacy Act (FERPA): Refers to the type of data, such as student education records, protected by the FERPA federal law
  • Federal Tax Information (FTI):A regulated class of information, with specific guidance provided by Internal Revenue Service (IRS) Publication 1075.

The graph below shows targeted information assets only, broken down by classification and known incident type. The most commonly identified classification was non-public.

What To do?

How do you go about protecting your high-value assets from insider actions?

The most basic function of an insider threat mitigation program is to protect the assets that provide your organisation with a unique advantage.

A complete understanding of high-value assets is instrumental in defending against internal actors who can easily target such assets.

One of the best ways for your organisation to know its assets and protect them from attack is to conduct an asset identification assessment.

The following questions will help you identify and prioritise the protection of your critical assets.

  1. What critical assets do you have?
  2. Do you know the current state of each critical asset?
  3. Do you understand the importance and value of each critical asset?
  4. Can you prioritise the list of critical assets?

Answering these questions will help your organisation to inventory the data and systems that must be protected.

Once critical assets are identified and prioritised, you must identify those high-risk users who most often interact with critical assets.

In conducting a behavioural risk assessment, it is essential to understand the “intent” and “capability” that an insider can harm the organisation confidentiality, integrity and availability of the asset.

For example:

  • Insiders can violate confidential information by stealing your trade secrets as well as customer information.
  • Insiders can affect the integrity of your critical asset by manipulating financial information or defacing your employee’s websites.
  • Insiders can affect the availability of your organisation assets by deleting data, sabotaging entire systems and networks, destroying backups, installing malware and committing other types of denial-of- service attacks

To effectively mitigate the risks posed by trusted insiders against your high-value assets, you must understand your organisation’s susceptibility to internal dangers.

For example:

  • Identify behaviours that are deemed unacceptable based on your security policy and standards.
  • Identify risks and consequences of such behaviours. Such as, how long would a behaviour deem as a risk?
  • Identify malicious behaviours. What level of behaviours would you deem as malicious?

Once you have completed the above two processes, you can put forward a risk mitigation program based on your risk appetite or risk tolerance.

Your strategy is to bridge your current position to the state that you would like your organisation to be in.

So, now when you put your thinking hat and decide what countermeasures are required to be put into play in mitigating insider risks, consider the following questions:

What systems, processes, and practices will you need to put into place to…

  • Predict risks that may take place?
  • Deter behaviour risks from taking place?
  • Prevent risks from taking place?
  • Detect risks from taking place?
  • Respond to risks?
  • Recover from risks?

Importantly, are you aligning the insider risk resilience strategy with your business strategy? Unfortunately, most organisations create insider and cyber strategies that are aligned with their information technology strategy.

Remember, insider threats is a business problem, not a technology problem. The strategy needs to address people risk.

How Can We Help Your Organisation?

If you want to develop an insider risk mitigation program, download “Developing An Insider Risk Mitigation Program For Your Business” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy

You can also reach us in the following ways:

Categories
Article

7 Deadly Business Assumptions That Make Insider Threat A REALITY!

7 Deadly Business Assumptions That Make Insider Threat A REALITY!

We know that damage and the risk of suffering from trusted employees and business partners is certainly not a new phenomenon. While most of the stories revolve around events affecting individuals, there have also been threats from individuals that can affect the entire organisation.

This article will reveal

  • How your business could be at risk if one of these “deadly assumptions” turned out to be true.
  • How you can prevent any of these threats from materialising in your business.
  • Why turning a blind eye on internal risks could open a well of pain, reputation damage and financial loss.
HXIyvZQSSGf89ycX68tX_file-min

If these “deadly assumptions” are accurate, then you are most likely experiencing an insider incident right now unbeknown to your organisation or yourself.

Categories
Article

Seven Non-Technical Indicators That Suggest That You Have An Active Insider Threat

Seven Non-Technical Indicators That Suggest That You Have An Active Insider Threat

“ You can speak with spiritual eloquence,
pray in public, and maintain a holy appearance…
But it is your behaviour that will reveal your true character.
– STEVE MARABOLI –

When it comes to cybercrime, incidents caused by external actors dominate the news headlines. Yet, rarely is news divulged when the threat comes from “trusted” insiders and more often than not, these incidents tend to be more damaging. Furthermore, the majority of organisations are unprepared for these insider threats.

For starters, identifying and mitigating insider threats is not an easy task. On the contrary, it’ s extremely challenging. Why?… Because we are dealing with people – not machines. People are human beings who come with emotions, values, beliefs, goals and aspirations. Clearly human beings are not machines! No technology can pinpoint with definite certainty, that a person is a threat to an organisation. Think about it, no person walks into the office with a red jacket and a sign stuck to their forehead claiming that they are an insider threat.

Organisations are a collection of people who share a common purpose. People within organisations unite to focus their various capabilities and skills toward achieving personal as well as business goals.

What makes a person with a “good background” behave appallingly towards their colleagues, while another employee with “little resource” is extremely helpful and accommodating? One thing is clear, humans are not random creatures. All actions that people take, they take for a specific reason. Why do I use the word “take” instead of “do”? Because what we do is driven by a choice
that is made…to do one thing or another, which leads to an action being taken. These actions are based on the “pain-pleasure” model. People avoid
pain and seek out pleasure. This is, for certain, how humans are wired.

Look around your office and ask yourself, how many people do I really know? Isn’t it difficult to say you know co-workers when they come and go? Who is to say that the temperament you see at work is the same temperament shown at home? Isn’t it true that all you know is when they access your corporate  network, they become a user and sometimes the user and person are two
different entities.

Some people carry “personal and sensitive emotional luggage with them”. The organisation and their colleagues are unaware of these items, which makes sense, right? Why?… Because colleagues do not make it their business to know
every co-workers business. Colleagues generally focus on getting the job they are supposed to do, done. However, colleagues do share, and it can
be important to note when someone is carrying “personal and sensitive emotional luggage.” This is referred to as “personal disposition” and this disposition can be important to an organisation.

Would you know whether a colleague has an alcohol or drug addiction problem? Would you know whether a co-worker is financially challenged? Would you know whether a colleague has an addiction to gambling, or whether they are involved with criminals or criminal activities?

According to the Insider Threat division of CERT, there is a strong link between negative behaviour (personal disposition) and malicious activity. In fact, those that had committed some form of IT sabotage also exhibited personal  disposition.

FOR EXAMPLE
On 24 March 2015, an Airbus A320-211 crashed 100 kilometres north-west of Nice in the French Alps after a constant descent that began one minute after the last routine contact with air traffic control. All 144 passengers and six crew members were killed.

WHY DID IT HAPPEN? The crash was deliberately caused by the co-pilot Andreas Lubitz, who had previously been treated for suicidal tendencies and been declared “unfit to work” by a doctor. However, Lubitz kept this information from his employer and reported for duty. During the flight, he locked the pilot out of the cockpit before initiating a descent that caused the aircraft to crash into a mountain.

Personal disposition can be recognised by certain types of observable  characteristics. Observable characteristics is what this article is all about.

Before we delve into personal disposition and related behaviours, what they look like and how you can spot them, let’s briefly identify what an Insider is.

WHAT IS AN INSIDER?
An Insider is any user whether they are a trusted employee, a contractor, a  business partner, or a former employee, that has an authorised access to organisation assets. The key critical aspect of such a user is that they may still have access to organisation assets and applications, which may include confidential data.

MALICIOUS INSIDER
A malicious insider is a trusted insider who abuses their trust to disrupt  operations, corrupt data, ex-filtrate sensitive information, or compromise an IT (information technology) system. This causes loss or damage and negatively affects the confidentiality, integrity or availability of the organisation’s information and systems.

NON- MALICIOUS INSIDER
A non-malicious insider is an insider that through their actions/inactions, absent malicious intent, cause harm or substantially increase the probability of future serious harm to the organisation’s information and systems.

SO, WHAT ARE YOUR EMPLOYEES UP TO?
Detecting insider threats can be extremely difficult, particularly when you are dealing with a calculated attacker or disgruntled employee that knows all the ins and outs of your company.

So, it may come as a surprise to you that the  most common indicator of an insider threat usually takes place well before it is spotted by any security system, or detection prevention system.

 The following diagram illustrates a timeline showing different points of behaviour anomaly indicators that can be used to help detect potential threats prior to experiencing a breach.

• NON-TECHNICAL BEHAVIOUR ANOMALIES
Indicators that the behaviour of the person has changed or flipped, for example, an otherwise nonaggressive individual becoming aggressive in conversations.

• USER & POLICY BEHAVIOUR ANOMALIES
Indicators of anomalies when connected to the corporate network, for  example, spending lots of time accessing social media sites, or actions
contrary to corporate policies

• SYSTEM & DATA BEHAVIOUR ANOMALIES
Indicators of unusual system and data behaviour, for example, using analysis of metadata and other data sources such as network logs, travel reporting,  network access times, etc.

The malicious insider threat is hard to detect because employers trust their employees. To complicate matters, it is difficult to determine if employees are doing something malicious when they are the ones responsible for accessing
and using sensitive data. It is very difficult to determine if something malicious is occurring when the very individuals accessing and using the data have the authority to access it.

Further, if an employer suspects malicious intent, it is easy for an employee to claim they made a mistake and get away with it. This puts the trusting employer in a precarious situation. Let’s face it… it is almost impossible to prove guilt in such cases, and it is pretty easy for employees, especially tech-savvy ones, to cover their tracks.

The majority of organisations approaching the Insider Threat challenge use technologies such as Security Information and Event Management (SIEM), User Behaviour Analytics (UBA), or User Activity Monitoring to enable successful detection and prevention of malicious activities. There is no doubt that technology is an important part of the strategy to mitigate the insider threat. However, these technologies do not focus on identifying the physical behaviours and the “non-technical” behaviours, and as a result, even when combined they are not a complete solution.

FOR EXAMPLE
A vice president of engineering who was responsible for oversight of all software development in the organisation was engaged in long running disputes with upper management. The disputes were characterised as verbal attacks by the insider and statements to colleagues about how much he had upset management. He engaged in personal attacks and in a restaurant, screamed abuse at the CEO. A final explosive disagreement prompted
him to quit. When no severance package was offered, he copied a portion of the organisation software to removable media, deleted it from the organisation server, and removed the recent backup tapes. He then offered to
restore the software in exchange for $50,000. He was charged and convicted of extortion, misappropriation of trade secrets, and grand theft. However, the most recent version of the software was never recovered.

If the organisation in this case had recognised the disruptive behaviour as a warning sign, the organization would have recognized the potential insider threat. The organization could have secured assets and prevented substantial loss. It is important and critical that organisations recognise and realise the potential consequence of negative behaviour in the workplace.

Unfortunately, many organisations do not have any practice, procedure, or method to apply to help them identify risky behaviour within their environment.

In addition, managers and executives tend to downplay the threats posed to their organisation by their own colleagues, even when the behaviour is risky.

Of equal importance, individuals managing security operations often have very limited understanding about human behaviour; they are either unaware of what to look for, or perhaps they do not consider it part of their job.

Did you know that insiders are usually known entities? They are the familiar and trusted few, AND who could imagine that these few employees who have worked their way through the corporate high security vetting process could pose a threat? Doesn’t this formal process of review and official approval deem them as trustworthy, and remove them of suspicion? After all, they are deeply integrated employees who are designated as individuals in the fold.

In this whitepaper, I discuss the different warning signs of an Insider Threat that tend to manifest in non-technical form. These early warning signs are the indicators that you will need to carefully notice.

#1 • ARGUMENTATIVE AND ABUSIVE BEHAVIOUR

 An individual with argumentative personality that causes disruption in the workplace may be exhibiting risky behaviour. These individuals may isolate themselves from others and reject social interaction with their co-workers. Of
greater concern, they may also reject supervisory direction or counselling aimed at addressing their disruptive behaviour.

Some people use aggressive behaviour and believe they are being assertive. This may be due to a lack of self-confidence or self-worth, or it could be due to conditioning in the way they were brought up. Some people are not aware that they are perceived as aggressive

INDICATORS TO WATCH


• Signs of temper and frustration;
• Excessive use of profanity, bad language
and expletives;
• Verbally complain about the organisation;
interested in voicing their opinion;
• Chronic blaming, others are always at fault;
• Closed to other opinions, rarely consider
anyone else’s view and may even feel
threatened;
• Defensive;
• Not concerned about how their actions may
impact others;
• Controlling or interested in being the one in
charge, and interested in power over others;
and
• Hard on machinery and equipment, office
items, stationery.

#2 • DISGRUNTLED BEHAVIOUR

Employees (or former employees) who feel unfairly treated, resentful or have a “chip on their shoulder” could seek revenge by acting out against their company, co-workers, partners, or customers.

The employee may have a grievance pending or a history of filing grievances. These employees tend to blame others for the results of their own actions and refuse to accept responsibility. Their perceived mistreatment or bias could ignite violent behaviour.

One in four full-time workers have been harassed, threatened or attacked. Of that group, co-workers were most often harassed, followed by customers.

An employee may express outrage and blame of others through direct or indirect threats. They use direct intimidation, verbal and written threats to
create fear, stress and anxiety in their targets.

Here are examples of direct and indirect threats:

INDICATORS TO WATCH


• General tardiness (late to work; making more
mistakes; constantly missing deadlines);
• Frequent conflicts with colleagues
and management;
• Verbal or physical abuse in the workforce;
• Unmanaged anger or stress; signs of
agitation, impulsiveness, physical and
manhandling their equipment; damaging
property;
• Paranoia; they suspect that others are
conspiring against them. Look for signs that
they feel “unappreciated” by the organisation;
• Bullying behaviour; and
• Threats against colleagues and others.
This could be verbal and physical threats.

According to the Insider Threat Division of CERT, of those who committed Insider Threat Sabotage, 30% had a personal disposition of previous arrest, 18% for violent offenses, and 11% for alcohol-drug related offenses.

#3 • CHALLENGING AND VIOLATING CORPORATE POLICIES

Employee compliance with corporate policies is a major concern for an organisation. Violating corporate policies increases the vulnerability of
the organization, and weakens the viability of the organization to achieve its desired goals. Violating corporate policy significantly increases the chance
of security breaches.

Employees who are aware of their organisation’s corporate policies and deliberately choose to violate the policies are particularly problematic.
Even though an employee may have good reason to ignore policy (e.g., those who chose convenience and productivity over security), violating policy is “no doubt” challenging and dangerous for the organisation.

According to CEB, more than 90% of employees violate policies designed to prevent data breaches.

INDICATORS TO WATCH


• Overtly disagrees with the corporate policy
by deliberately disobeying;
• Falsifies statements and acts dishonestly;
• Steals unauthorised property from the
employer, fellow workers or customers
regardless of the value;
• Intimidates colleagues, verbally or physically;
• Excessive absenteeism;
• Continuous pushing against corporate
boundaries, for example, taking long lunches;
Wastes time and impacts productivity
for others;
• Makes discriminating remarks or sexual
harassment;
• Commits violations of work safety rules;
• Works odd hours; and
• Tries to perform work outside their normal
duties.

#4 • DECLINE IN WORK PERFORMANCE

Every employee can expect to have a bad day occasionally, after all, who hasn’t? However, if that bad day continues and a negative pattern develops, this may indicate a larger problem that requires urgent attention.

Sometimes employees take the initiative to contact their employer for help addressing personal problems. If lucky, the employee may even seek their Employee Assistance Program if the organisation provides such resources.

Troubled workers can impact everyone around them, and this can lead to conflicts within team members. Conflict reduces team productivity, and simply put, places the organisation at risk.

INDICATORS TO WATCH


• Poor fit with organisation values.
For example, the insider dislikes their job;
• Poor fit with the organisation culture.
For example, the insider dislikes the
organisation ethos;
• Difficulty negotiating and reaching agreement;
• Complaints about job fairness;
• Complaints about job satisfaction;
• Complaints about inadequate compensation;
• Complaints about organisation opportunities;
• Complaints about the workload;
• Signs of frustrations, such as not wanting
to work with people;
• Signs of stress, such as emotional exhaustion;
• Apathy towards others, late on deliveries
and lack of timeliness;
• Large mood and emotional swings;
• Signs of poor physical conditions;
• Unable to manage time;
• Constant socialising;
• Unusually frequent trips and vacations; and
• Unexplained changes in financial circumstances.

FOR EXAMPLE
A former employee administrator at a university institute deleted 18 months of cancer research after quitting because of personality and work ethics  differences between himself and management. On numerous occasions, he had displayed aggressive and malicious behaviours (non-technical) before quitting his job. He was not liked. He was described as very lazy and constantly complained. A few days after quitting, he returned to the lab. Fortunately for the employer, his badge had been disabled. Unfortunately, he asked an  employee who recognised him to let him in, and once inside the building, he used a key that had not been confiscated to enter the office and delete the
cancer research data.

In this case, the employee obviously exhibited concerning behaviours in the workplace well before the breach/deletion of data took place.

#5 • UNAUTHORISED ACCESS

Although we place a huge amount of trust in colleagues at work, insiders pose a substantial threat due to their knowledge of, and access to employer’s systems and information. They can bypass physical and electronic security measures through legitimate means every day.

And, if they are motivated to seek out an advantage, to benefit or even profit from an opportunity (personal gain), they will find ways to achieve their goal/s.

Here are some clues on what to watch:

INDICATORS TO WATCH


• Perform activities that are not part of their
current job role;
• Make decisions on behalf of colleagues without
being authorised to do so;
• Snoop at other individuals desks and work
areas;
• Interested in viewing confidential information
without permission;
• Extensive and frequent phone conversations;
• Allow unauthorised external people into
sensitive work areas;
• Ask colleagues to obtain critical assets when
they do not have authorisation;
Ask colleagues to provide access to sensitive
areas for which they are not authorised access;
• Utilise the photocopier excessively above their
normal frequency;
Try to use other people computer devices;
• Take organisation stationery for home use
without permission;
• Take organisation IT devices for home use
without permission;
• Take other people keys or access cards;
• Tailgating other people;
• Door propping;
• Use their phone to take pictures of people,
systems and information;
• Introduce their own devices into the system
without authorisation. For example, introducing
their own portable storage disk drive onto the
corporate network; and
• Run their own business within the employer
organisation.

FOR EXAMPLE
A programmer at a telecommunication company was angry when it was first
announced that there would be no bonuses. He then used the computer of the project lead (who sat in a cubicle and often left his computer logged in, in the unattended area), to modify the company’s premier product. Six months later,
the insider left the company for another job.

Six months after that, a “logic bomb” (malicious insertions) detonated preventing the software from working.

In this case, the employee obviously exhibited disgruntlement behaviour and also accessed unauthorised equipment that didn’t belong to him.

#6 • STRESS BEHAVIOUR

Who hasn’t gone through a major life event? Life events can literally shake up your world for better or for worse. Major life events can lead to a very high level of stress, and this stress combined with the additional level of stress that is within the organisation may cause major health issues such as loss of memory, immune deficiency, obesity, and more.

Stress has become a serious concern for organisations because it can cause lower productivity, higher rates of turnover, worker conflict, increased workers compensation claims, and legal expenses.

Stress reactions are unique to every individual and are the behavioural consequences of their environment.

Below is a small list of possible stress events

  • Home relocation;
  • Foreclosure of mortgage;
  • Change in financial state, for example,
  • Bankruptcy;
  • Divorce;
  • Change in religion;
  • Change in health of family members;
  • Death of one or more close people;
  • Midlife crisis;
  • Downsizing or moving office;
  • Merging with another organisation;
  • Change in responsibilities;
  • Major life changes;
  • Legal challenges; and
  • Being recruited by outside criminals.

INDICATORS TO WATCH

  • Interpersonal conflicts;
  • Personality clashes;
  • Depression signs;
  • Pessimistic and cynical;
  • Complaints about sleep;
  • Complaints about digestive problems;
  • Skin conditions;
  • Weight problems;
  • Thinking and memory problems;
  • Poor judgement; and
  • Anxiety and constant worrying.

#7 • REGULAR STATE OF INTOXICATION OR SUBSTANCE ABUSE

Drug abuse affects people from all walks of life and socioeconomic statuses. Whatever the reason a person starts taking drugs, tolerance and dependency can develop quickly, before the user realises the pattern of addiction taking hold. When tolerance becomes full-blown addiction, it can be extremely difficult to stop the pattern of abuse.

Breaking free from the hold of addiction often requires outside help. Drug abuse wreaks havoc on the body and mind. Addiction can have severe repercussions for individuals, their families and possibly colleagues.

INDICATORS TO WATCH


• Smells of alcohol or other related substance;
• Dishevelled appearance;
• Difficulty controlling their body;
• Difficulty paying attention;
• Drowsy, dozes or sleeps;
• Brings alcohol or some other substance
to work;
• Abrupt weight changes;
• Argumentative attitude;
• Obnoxious and disorderly behaviour;
• Annoys colleagues;
• Change in personality – becomes bad
tempered or aggressive;
• Signs of depressive behaviour;
• Signs of lethargy;
• Financial problems that could lead
to criminal activities.

SUMMARY

The above behaviour patterns should be considered as red flags and should be taken extremely seriously.

Although these behaviours may be unusual, (remember these behaviours are observable by someone, and they are non-technical behaviour indicators), they may not point to an insider threat situation, but may potentially identify a symptom of an emotional challenge (personal disposition).

Either way, such behaviours do require being noticed and need to be raised with management and the Insider Threat team.

In addition, I would recommend utilising tools at your disposal to collect other data from other sources whether they be technical or nontechnical to ascertain whether the observed behaviour is really an insider threat.

WHAT CAN BE DONE?
There are a number of areas where an organisation can start the task of reducing the potential risk of insider threats.

1. Insider Threat Awareness
The key to achieving success noticing and identifying insider threats is to diligently monitor these behaviour signals from the start. All this requires is to raise insider threat awareness organisation wide. When you “See Something”, you “Say Something” awareness.

Insider threat awareness training needs to be available for everybody including contractors and 3rd party organisations. It should be given during the onboarding process and refreshed at least yearly. Its primary aim is to keep insider threat at  the forefront of employee minds as they go about
their day-to-day work lives.

Topics for employee insider threat awareness
should include some of the following:


• Types of insider threats;
• How an organisations staff may be targeted;
• Methods that adversaries use to recruit
trusted insiders;
• Acceptable user behaviour as an employee
and as a user on the network, including
social media;
• Consequences if acceptable user behaviours
are violated;
• Organisation intellectual property (IP) policies
and employee responsibilities to protect
organisation data and IP;
• Unintentional insider threats: What they
are, how they happen and general security
precautions;
• How to identify inappropriate behaviour,
eg. Indicators;
• Employee responsibilities regarding
reporting incidents;
• The importance of engaging all employees
to prevent malicious insider activities;
• Consequences if insiders displaying risky
behaviours are caught; and
• An area for shared distribution of insider
threat awareness material – website; staff
board; promotional materials; regular
training; posters; login banners; discussion
groups; exercises that occur at random
and test an employee’s knowledge.

2. User Employee Assistance
Another positive intervention strategy is an employee assistance program. These programs should be offered by organisations as an employee benefit, to assist employees in dealing with personal or work-related issues that may affect job performance, health, and general well-being.

Employee Assistance Programs can include counselling services for employees and / or their families.

3. Employee Engagement Program
Effective mitigation against insider threats by insiders requires the adoption of two driving concepts/programs.
>> Negative Deterrence Programs; and
>> Positive Deterrence Programs

Deterrence focuses on making potential adversaries and even Insiders think twice about placing the organisation at risk (whether it be malicious or non-malicious actions).

Negative incentives attempt to force employees to act in the interest of the organisation and when relied on excessively, can result in negative unintended consequences.

Positive incentives can complement traditional practices by encouraging employees to act in the interest of the organisation either extrinsically (through reward & recognition) or intrinsically. Positive incentives create a work environment where employees are intently driven to contribute to the organisation in a positive way.

Organisation Support is the foundation of positive deterrence. With this in place, Connectedness with co-workers and Job Engagement serve to strengthen employee commitment to the organisation.

Employing the right mix and ratio of positive and negative incentives in an Employee Engagement Program can create a net positive for both employee and the organisation.

NEED HELP?

Are you experiencing an insider threat situation right now and not sure how to address it?

Are you interested in having an Insider Threat Training Awareness Program conducted for your organisation’s employees?

Are you looking to become proactive and more effective in managing insider threats?

If so, let’s schedule a time to discuss how we can help you.

You can either call us on +61 2 6282 5554 or alternately, visit our Naked Insider website www.nakedinsider.com and leave your details so that we can follow-up with you afterwards.

Categories
Article

What Must You Do To Counter Corporate Espionage?

What Must You Do To Counter Corporate Espionage?

When you are in a small boat, you can see who’s paddling hard and who’s looking around.
Ev Williams

Corporate Espionage is often depicted as the stuff of movies, but in reality, organisations worldwide are having information stolen from their networks.

Corporate Espionage can be referred to as industrial Espionageeconomic Espionage or corporate spying is the practice of using espionage techniques for commercial or financial purposes.

We usually think of “espionage” in terms of spies working on behalf of one government trying to get information about another. But in fact, many of the same techniques and even many of the same spies work in both realms.

Interestingly, one doesn’t hear much about corporate Espionage in the news.

If a corporation admits that it has been the victim of cloak and dagger activities, it appears vulnerable. This could potentially attract more “freelance” espionage based on the company being an “easy target.” It also shakes shareholder confidence.

Corporate Espionage is a much more compelling headline than an earnings report, so the news of a breach would almost certainly receive negative reputation publicity that would cause the company’s stock price to drop.

The simple form of corporate Espionage happens every day. People joining new organisations or leaving them tend to either take information to their new employment or start their own competing business or take to a foreign government or organisation.

What is the difference between Industrial and Economic Espionage?

Industrial Espionage

This occurs when a person or party gains access to a company’s information illegally, unethical, or constitutes unlawful business practices.

The term “espionage” is a synonym for the term “spying”.  Industrial Espionage includes the unlawful observation of company activity, unlawful listening (such as a wiretap), and unlawful access to company information, which all constitutes spying on the company.

But not all such Espionage is so dramatic. Much of it can take the simple form of an insider transferring trade secrets from one company to another. For example, a disgruntled employee or an employee who has been hired away by a competitor then takes information with them for their advantage.

Examples:

  1. IBM vs Hitachi / Mitsubishi

In the 1980s, IBM won a court case against Hitachi and two of its employees and Mitsubishi for Industrial Espionage. Hitachi was charged with conspiring to steal confidential computer information from IBM and transport it to Japan.

  1. Gillette vs Competitors

In 1997, a man from Washington, Iowa was charged with wire fraud and theft of trade secrets from Gillette who then disclosed technical drawings to Gillette’s competitors in the razor market.

  1. Ferrari vs McLaren

In 2007, McLaren, the leading team in the Formula One championship, was fined $100 million for cheating in using data obtained from Ferrari, its main rival, to improve its car.

Economic Espionage

Is the unlawful targeting and theft of critical economic intelligence, such as trade secrets and intellectual property.

The term refers to the covert acquisition or outright theft of invaluable proprietary information in several areas, including technology, finance, and government policy. 

Economic Espionage differs from industrial Espionage in several ways. It is likely to be state-sponsored, have motives other than profit or gain (such as closing a technology gap), and be much larger in scale and scope.

Examples:

  1. F-22, F-35 and the C-17

Chinese spies stole critical design information about America’s top military planes. This was verified according to top-secret documents disclosed by former US intelligence contractor Edward Snowden.

  1. Tesla vs Xpeng Motors

Tesla filed a lawsuit in 2019 against a former engineer at the company, claiming he copied the source code (300,000 files) related to its Autopilot technology before joining a Chinese self-driving car start-up.

  1. China Aeroplane

To establish a foothold in the aviation industry by building its own “Chinese” commercial passenger plane, they instituted a coordinated, targeted approach in gaining the necessary technology.

Using hackers, cybercriminals, Chinese intelligence as well as recruiting insiders to steal critical designs from different manufactures (Engine – CFM; Flight Control Systems – Parker Aerospace; Flight Recorder – GE; Airframe – AVIC; Fuel System – Parker Aerospace; Landing Gear – Honeywell; Tire – Michelin; APU – Honeywell; Cockpit – Eaton; etc.).

In 2018, 10 Chinese individuals conspired to steal aerospace trade secrets from 13 western companies, most of the U.S. based.

  1. China vs World

In 2020, a leaked document containing a list of 1.95 million Chinese Communist Party members. In the list of names of CCP members who have infiltrated top corporations and high government levels in the US, UK and Australia.

What do assailants want?

As you have seen by the above examples, they do not want the company’s money. No, there is something far more valuable that is deliberately targeted by such attackers.

They tend to target the company’s most valued asset – Their intellectual property, whether it be their unique designs, methodologies, processes, plans, inventions, trade secrets, patents, databases or other valuable benefits.

What are the different types of methods used to acquire their target asset?

Most organisations that find themselves suffering leaks probably as a result of their negligence and carelessness.

A competing organisation or nation-state that has targeted its victim will use different means to extract that asset.

  • Through a coordinated approach, “contractors” (such as hackers, cybercriminals) are hired and assigned particular interest theft.
  • They will recruit company insiders, or even coerce employees to aide their hacking efforts using blackmail or threats against families living at home.
  • They will also try and place critical people within organisations as employees.

Many threat actors are circumnavigating target organisations by breaching them via trusted partners, business associates and other third-party networks.

Example: SolarWinds Attack

Thousands of organisations have been affected by a supply chain attack that compromised the update mechanism for SolarWinds Orion network monitoring software in order to deliver a backdoor Trojan.

The attackers were able to compromise the update process of a widely used piece of SolarWinds software there by affecting organisations such as the Pentagon, the Department of State, the Department of Homeland Security, Microsoft, FireEye, Cisco and many others.

 As the saying goes “Why bother to hack into a software company when you can just order it to install malware in its products?

As ever, these organisations are persistent and inventive. If they can’t get in one way, they will keep trying until they find another.

Suggested Mitigation Recommendations

Because of this threat’s comprehensive nature, here are ten effective tactics that you can adopt to reduce the risk of corporate Espionage.

  1. Identify critical assets – This not only involves looking inward but looking outward as well. Organisations cannot deduce their asset’s actual value until they understand how it is also perceived from the outside.
  2. Identify the threat actor – Who are the actors that may want your asset? Is it competitors, partners, hackers, activist groups, foreign national state or even a client?
  3. Ensure physical security – Organisations should ensure that the physical security of their offices, equipment and infrastructure. This means setting up surveillance and utilising specialised security personnel. Importantly, the organisation needs to identify the most sensitive facilities and ensure they are given extra protection layers.
  4. Create security policies – Organisations should establish policies on what information employees can share inside and outside the workplace. It is essential to identify mission critical roles in the organisation and estimate their exposure to espionage risks. Establish the necessary corporate practices to communicate, train staff in the rules developed, governance and security operations.
  5. Judge access – Implement the need-to-know principle for defining access rights and establish controls to monitor misuse of privileged profiles.
  6. Conduct background check on employees – Organisations should conduct background checks on all employees with access to the sensitive asset. This may even include often-overlooked individuals such as janitors, caterers, and groundkeepers.
  7. Conduct employee monitoring – Organisation needs to monitor the actions and activities of employees. Organisations need to ensure that members of their team are truthful and loyal to their employers.
  8. Establish employee exit procedures – Organisation needs to develop comprehensive employee exit policies. Most cases of intellectual property theft perpetrated by employees occur 30 days before resignation and 30 days after.
  9. Ensure cybersecurity practices – Corporate Espionage is increasingly becoming the domain of the cyber realm. The organisation must maintain a robust cybersecurity framework.
  10. Consider Threats From Trusted Business Partners – While it might appear that outsourcing business functions will result in cost savings, expertise and other benefits, be sure to factor the threats that they may pose to your business.

The world of corporate Espionage is very real and very different from what one would expect.

It is far from glamorous, lacking both gunfights and fast women, but it concerns companies.

The temptation for gains, advantages and rewards in stealing the asset is strong, so corporate Espionage will continue, whether we hear about it or not.

How Can We Help You Address The User Risk?

Did you know that you have trusted people that are exposing your business to harm right now?

Are you interested in identifying risky behaviour by your employees or other

trusted business partners?

Now, with a User Threat Assessment, we can provide you with insights in a limited 30-day engagement and get one report assessing your organisation and its most significant risks.

  • We will provide you with the visibility and analytics, allowing you to understand where your data is living, how your users interact with it, and where and how it’s leaving the organisation. You’ll also get an understanding of how users behave both on and off the corporate network.
  • Your assessment will also show whether your employees are circumventing security policies and controls.
  • We will find and elevate your highest risk users for inspection and find out where you need to be investing your security resources to get the best results.

What is the process?

  1. Simple deployment – We will deploy a specialised monitoring tool on the selected endpoint of your choosing. The agent is lightweight enough to deploy in mere hours and will have no noticeable performance impact.
  2. 30 days of Collection – We will monitor your endpoints, collect user activity data, and analyse that data
  3. Your Threat Report – Once the 30-day data collection period is complete, we will review the findings and alerts and compile an executive summary & detailed report highlighting your organisation’s most prominent risks.

Our Guarantee

100% of Threat Assessments that we conduct have found some form of undetected, unaddressed security threat. Find out what’s happening in your organisation or pay you $1,000 to your nominated charity.

Your Next Step

To request your assessment, please fill in the contact form:  https://www.nakedinsider.com/user-threat-analysis or email us

Categories
Article

Do You Know Where Your Data Is?

Do You Know Where Your Data Is?

Identify, Classify And Protect Your Assets

“If you fail to plan, then you plan to fail” is the adage.

The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, then how are we going to decide the amount of time, effort or money that we should spend on securing these assets?

Real case scenario

A former Dallas hospital guard was charged for breaking into the computers, planting malicious software and planning a distribution-denial-of service (DDos) attack.

The majority of the insider unauthorised activities involved a heating, ventilation and air conditioning (HVAC) system containing confidential patient information.

This HAVC was located in a locked room, but the insider uses his security key to obtain physical access.

The insider installed malware to allow unauthorised individuals to remotely access and take control.

The malicious insider activities caused the HAVC system to become unstable, which eventually led to outages.

The insider was caught after he posted pictures on the Internet of the compromised HVAC.

The case illustrates how a single computer system caused a significant amount of damage to an organisation. Modifying the HVAC could have potentially been life threatening.

The point is, the HVAC computer was located in a locked room, rather than a data centre or a server room. Secondly, If the organisation had fully realised the potential impact, it could have implemented additional controls to prevent this type of attack

The essential function of any organisation business is to understand it’s critical assets and to ensure its confidentiality, integrity and availability (CIA).

Critical assets can be thought of as something of value that which if destroyed, altered, or otherwise can cause major harm to the organisation.

Critical assets can both be physical as well as logical

  • Facilities
  • Technology
  • Information
  • People

A complete understanding of critical assets (both physical and logical) is valuable in defending against attackers (whether they are insiders or outsiders) who will often target the organisation critical assets.

The following questions will help you identify and prioritise the protection of your critical assets.

  1. What critical assets do you have?
  2. Do you know the current state of each critical asset?
  3. Do you understand the importance of each critical asset?
  4. Can you prioritise the list of critical assets?

Once critical assets are identified and prioritised, you must identify the high-risk users that interact with these assets.

A question that you must ask – What could a user that has authorised access to the critical asset do either intentionally or unintentionally to cause harm?

By answering this specific question to every critical asset will help you drive the right control and policies that need to be set.

Real Breach Example: Data leakage

Date of Breach: 16th of October, 2019

Over 1.2 billion records of personal data have leaked online in a massive security breach. The leaked data contains email IDs, employers, social media profiles, phone numbers, names, job titles and even geographic locations.

The exposed data comes with an index which suggests it was essentially sourced from a data enrichment company called People Data Labs. The unprotected Elasticsearch server contained as many as 622 million unique email addresses, researchers added.

Your Next Best Step

Let’s start by focusing on one of your key assets – Data.

  • What type of data is processed (medical information, personally identifiable information, credit card numbers, intellectual property, inventory records, etc)?
  • How valuable is the data?
  • What type of devices process this data (workstations, servers, mobiles devices, etc)?
  • Where is the data stored?
  • Where is it processed?
  • Where is it transmitted?
  • Which insiders can access this data?
  • What malicious actions can insiders put this data ta risk?
  • What unintended actions can insiders put this data at risk?

Answering these questions will help you to inventory the data and systems that must be protected from various attacks.

Data Discovery Scan Service

If you find the above a challenge due to time and resource constraints, consider that Naked Insider can offer this service for you.

While I’m guessing that you have reasonably good visibility and the idea of where your critical and sensitive data resides, you may not be aware of other sets of information. These ad-hoc data sets may have been generated over time and maybe sitting on someone’s laptop, but how would you know? And what is the risk to your business and your reputation?

The data discovery scan is a fast and easy way to scan your network and identify the precise files containing sensitive data and their location. The entire process can be completed within a couple of days.

What is the value to you?

  • Develops a top-level data classification view of stored data. For example, all files containing credit card info, tax file info, Intellectual property, with the ability to drill down into each category to the actual file and its location.
  • Detect wrongly classified and located sensitive files. Users tend to place sensitive files in wrong locations which might be unsecured. The scan helps to detect these files for protection.
  • Identify key locations having the highest concentrations of sensitive files.
  • Identify legacy data that should either be archived or destroyed based on compliance.
  • Helps to identify all sensitive files and their locations which can be provided to each department head to ensure they have visibility of where their data is.

Interested?

Interested in finding out what the process is?

Interested in seeing a sample report?

Interested in knowing what your investment is?

Contact us at sales@nakedinsider.com  with a subject line “Data Discovery”

Categories
Article

How Tiny Habits Compounded Add Security Resiliency To Your Business

How Tiny Habits Compounded Add Security Resiliency To Your Business

Compound Interest Is The Eighth Wonder Of The World’

Albert Einstein

Let me start with a description of what is “Power of Compound” all about…

Suppose you invest your money and make returns on it. The compound takes effect when you reinvest the interest rather than take it as a payout.

This means that interest in the next period is earned not only on the principal sum but also on any interest that was previously accumulated.

Imagine, you invested $1 and received a 10% return per day. The start of the next day, you would then have a $1.10. Now that $0.10 doesn’t look much in the scheme of things.

But the magical element of compounding is the effect of time.

  • By the end of 7 days, your total tally would be $1.77
  • By the end of 31 days, your total would be $17.45
  • By the end of 100 days, your total would be $12,527.83
  • By the end of 150 days, your total would be $1,470,652.58

Here is another fun video explanation prepared by Tony Robbins of the power of compound when it comes to a game of golf – Click HERE

Now, I know what you may be asking me … what has this got to do with managing security risk of all things?

Let me explain this in another metaphor – Teeth cavities

We realise how important in having the right mouth hygiene. It is easy to brush our teeth. Yet, we know perfectly well that even if we brush our teeth daily, it doesn’t guarantee that cavities won’t happen.

What we have done here is managed and reduced the risk of severe mouth ailment. The alternative is an expensive and painful visit to the dentist.

What is the secret here?

Discipline! It’s the daily and consistent application of the same action.

So here’s a novel thought: What if the principle of compounding could use the same powerful principle to improve other areas of your life – not only money but also knowledge, health, relationships, cybersecurity and insider risk management?

The power of compounding is hard for us to get our heads around. We tend to understand about find it taxing to act on it.

Human nature conspires against us when it comes to benefit from compounding.

All of us can build our knowledge, but many of us don’t put in the effort.

Reading a book won’t make you smart overnight. But reading one today and over time, will improve your odds of becoming an expert in the future.

Adopting healthy eating habits won’t turn you into a picture of health in the next 24 hours. But eating well over time may ensure your future well-being.

Whether it’s making money, gaining knowledge or staying healthy, harnessing the power of compounding comes down to one thing: adopting the right habits.

The same is true is when it comes to cybersecurity and insider risk management practices.

And this is where I want to introduce you to a Japanese word – Kaizen

Kaizen (Continuous Improvement) is a strategy where employees at all levels of a company work together proactively to achieve regular, incremental improvements. In a sense, it combines the collective talents within a company to create a powerful engine for improvement.

Kaizen is a part action plan and part philosophy.

  • As an action plan, Kaizen is about organising events focused on improving specific areas within the company. These events involve teams of employees at all levels.
  • As a philosophy, Kaizen is about building a culture where all employees are actively engaged in suggesting and implementing improvements to the company.

 Let me ask you a question. What is your organisation approach to Kaizen? How are you committed to continual and ongoing improvements daily?

If you want to drive cybersecurity resiliency, you need to ask yourself the following questions (non-exhaustive):

  • How can I maximise existing security investment to better able to detect and prevent threats?
  • How can I make my processes more efficient and effective?
  • How can I simplify my corporate policies so that all employees are better able to understand organisation culture?
  • How can I increase the level of communications within my organisation so that I reduce misunderstanding and confusion?
  • How can I reduce the level of complexity within my systems, tools and infrastructure so that it is easier to manage?
  • How can I respond to cyber threats today better than I did yesterday?
  • How can I raise greater cyber awareness within the organisation better than I did yesterday?

If you want to drive insider risk management resiliency, you need to ask yourself the following questions (non-exhaustive):

  • How do I gain greater visibility and understanding into the human behaviour within my organisation?
  • How do I get better visibility and identify internal risk in real-time?
  • How can I increase the deterrence of insiders from committing a malicious act?
  • How can I close the doors to unauthorised data exfiltration better?
  • How can I better respond to red flag scenarios?
  • How can I anticipate and manager better negative issues in the work environment?
  • How can I increase the level of trust within my organisation?
  • What plans and steps that I can introduce that will increase employee engagement?
  • What tools, learning and support can in introduce that will reduce unintentional incidents?
  • How can I help employees to act in the best interest of the organisation?

In Summary

In today’s world, a certain amount of improvement is necessary just to keep up with the rapid pace of change. New technologies are announced nearly every month. New manufacturing techniques are discovered even more often. New words come into use anytime a trend or fad catches on. And what we learn about ourselves, about our health and our capacity for human thought, continues unabated.

Improving is, therefore, necessary simply to survive. But to thrive, as successful people do, a more dedicated approach to improvement in small increments.

Whenever you set out to improve your skills, change your behaviour, or better your family life or business, beginning in small, manageable steps gives you a greater chance of long-term success.

Doing too much too fast not only overwhelms you (or anyone else involved in the improvement), it can doom the effort to failure and thereby reinforcing the belief that it’s difficult, if not impossible, to succeed.

When you start with small, achievable steps you can easily master, it reinforces your belief that you can simply improve – The Power of Compound!

 How Can We Help you?

Interested in identifying strategies in how your organisation can increase its effectiveness and ability to prevent, detect, deter, disrupt and respond to insider threats? Download our free strategy paper – How To Develop An Insider Risk Mitigation Program In 7 Steps?

Take The Challenge

How resilient do you think is your organisation from insider threat harm? How READY is your business capable of detecting, preventing, deterring and responding to insider threats?

Would you be interested in finding out how you compare to your industry peers? Would you be surprised to know that most organisations that have taken this assessment are somewhat vulnerable?

What tiny steps and habits could you start today that would make a big difference to the resiliency of your organisation?

Contact us by filling out the form of the CommsNet Group website to discuss your requirements: https://commsnet.com.au/contact-us 

Categories
Article

When It Comes To Security, Simplicity Is Always Better Than Complexity

When It Comes To Security, Simplicity Is Always Better Than Complexity

If You Can’t Explain It Simply, You Don’t Understand It Well Enough.

– Albert Einstein

We all know “simple” when we see it, touch it, or use it.  It gets to the core of what things indeed are with little effort.

On the other hand, complexities we encounter everyday force us to limit our visual consumption, to dismiss, discard and ignore things we don’t instantly connect with.

Johny Ive (ex-Chief Design Office for Apple) once said – “simplicity isn’t just a visual style. It’s not just minimalism or the absence of clutter. It involves digging through the depth of complexity. To be truly simple, you have to go deep…You have to deeply understand the essence of a product to be able to get rid of the parts that are not essential”.

There is power in simplicity. We know it. We see it. We feel it.

If you are into sport, you will be amazed by Lionel Messi or Michael Jordan skills. Both can take the complexity of their sport and make it look “artless”.

If you are into music, composers such as Wolfgang Amadeus Mozart made music into such simplistic and memorable harmonies that they are with us forever. Such as “twinkle twinkle little star” which is based on his twelve-bar variation composed in 1780.

In essence…the easier something is to understand, the easier it is to share it.  And the easier your message is to share the more people you can impact.

But simplicity does not mean easier.

And it’s important to realise that in the words of Steve Jobs:

“Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.”

The world around us is changing at a rapid pace. Complexity is increasing significantly in this increasing interconnected, digitization and data sharing world.

Today, simple tasks like using a credit card, a phone, or a computer now provide an opportunity for miscreants to take our money, our identities, and cause significant severe disruption to our lives.

Unfortunately, our neighbour is now the entire globe.            

As the world evolved and became more technological, attacks evolved along with the new developments.

Let me ask you today… what do you think when you hear the word “security”? Do you think of security arm guards, dogs, fences, monitoring cameras or do you think of firewalls, a myriad of security software tools, malware, hackers, data leaks, regulation, cryptocurrencies, cybercrime and more?

It is not a surprise that we have developed an equally evolved, complex cybersecurity system.

One Australian organisation told me that they were managing at least 28 different security technologies for an organisation the size of 1,200 staff.

It’s no surprise that this organisation was struggling to deliver real effective business protection and value.

The world of complexity is particularly problematic. It hinders innovation, collaboration and the ability to share information. It suppresses development and hampers customer services. It creates confusion and misunderstanding.

When a business becomes more complex, it can become siloed. This results in employees focusing on their core work to the detriment of others. It builds mistrust and competition within rather than the benefit for the entire organisation.

So, why is security so hard and getting harder?

Look around, and there isn’t a single organisation out there that hasn’t increased their investment in protection solutions to prevent from being breached.

However, these efforts are falling short of what is required. Whether you are a small, local business, a global conglomerate with extended supply chains, an individual with a mobile phone, or a government department responsible for national security, your level of exposure and responsibility to prepare for threats are both increasing rapidly.

More technologies do not mean better security!

The 80/20 Way

I’m sure you have come across the 80/20 rule… Which states that 80% of your results come from 20% of your efforts and 20% of your results come from the other 80%.

Another way to look at it is:

  • 80% of your security protection comes from 20% of your security investments
  • 80% of your security incidents come from 20% of people.
  • 80% of your external threats come from 20% of the same source.
  • 80% of customer service headaches come from 20% of the “problem children”.
  • 80% of warranty claims come from 20% of the product defects.
  • 80% of your productivity comes from 20% of your tasks.
  • 80% of your traffic in your city is from 20% of your roads.

I could continue, but bear in mind it’s not the exact number 80/20. It’s the principle. Sometimes it’s 60/40 or 70/30. Sometimes it is 95/5.

If 20% of your investment provides you with 80% of the protection, why not align your security strategy to this paradigm?

 Let’s take it to another level. If you only look at the 20% of your security investments and then apply the 80/20 on that. That means 64% of your protection is derived from only 4% investment.

There is magic here if you take the time to realise this power.

Given that we have shrinking budgets and resources and yet we are asked to do more, comply more, or treat more attacks, we need to realise that continuing investment in security tools will not necessarily add protection to your business. All you are doing is adding complexity.

Everything that matters in the business or anything that you can measure isn’t linear. It’s exponential!

How Can We Help you?

It is interesting to note, that majority of security budgets (more than 80%) of organisations these days goes into security tools to prevent only 20% of the security threats.

In 2015, Verizon Data Breach Incident Response stated that “90% of all incidents are people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff…

If not to state the obvious, security is all about people. Even cybercrime is about a crime committed between people who use technology.

To get the simplicity in your security and governance, you need to consider the human element of security. That’s what we specialise.

We can help you:

  1. Shaping behaviour of people, positively so that they act in the best interest of the organisation and reduce your organisation exposure either intentionally or accidentally.
  2. Focus in maximising your return on your security investments by simplifying your strategy.

Contact us by filling out the form of the CommsNet Group website to discuss your requirements: https://commsnet.com.au/contact-us  

We are the architects of Naked Insider, the gold standard for helping highly valuable organisations and regulated corporations develop strategies to mitigate insider risk.

MENU

FOLLOW US:

Linkedin Youtube

© 2023 Naked Insider, Level 1 Colbee Court, Phillip ACT, Australia Tel: +61 6282 5554