Staff play an important role in the risk profile of all companies. The frequency and cost of insider threats have increased dramatically over two years, regardless of whether the source is a careless or negligent employee or contractor, a criminal or malicious insider, or credential theft.
The insider threat is a growing reality for all organisations operating in the world of the internet of everything.
A couple of years ago, a major global hotel chain received a $123 million fine for leaking the data of more than 380 million hotel guests in the United Kingdom. A post-mortem on this incident attributed it to poor monitoring compounded by employee negligence − had the IT systems been secured from internal threats, this could have been prevented.
According to Gartner, chief information security officers (CISOs) can prevent and protect against risky employee behaviour. To combat these threats, CISOs can’t simply deploy a product, implement a process, or increase user awareness – Gartner emphasises that a multifaceted, multidisciplinary approach is required.
Employee and vendor background checks are advised, but they need to be augmented by monitoring abnormal data exchanges. This gives CISOs a view into user entity behaviour analytics. This is critical if the CISO is to identify potential sources of risks and develop subsequent mitigation plans.
Gartner further recommends building staff profiles and confirms that incident response scenarios come from developing user-profiles and personas that can help identify unusual behaviour for users or groups with high-risk activities.
The identification of potentially risky behaviour by staff and mapping patterns against possible solutions is advised. While they will vary by organisation, common scenarios include installing unsanctioned software, failing password attempts, and attempting access to other employee accounts.
As the company gets a more in-depth insight into user-profiles and personas, these scenarios could be made more pointed. Larger organisations often have well-defined incident response plans and procedures for everyday security events.
Still, SMEs often lack the resources and time needed to better understand how to mitigate and respond to insider threats. Businesses of all sizes need to identify who is at risk, the source of the risk, and the triggers that can activate risky behaviour.
The following are guidelines for resource-strapped SMEs to assist in the fight against ransomware and cyber breaches.
Train employees to spot scams: Businesses need to educate staff through regular cyber security awareness and training programmes. Training should include recognising potential threats, the latest news and guidance on new and existing threats and responding. It’s crucial to maintain awareness throughout the business with regular bulletins, updates and tips.
Reinforce (and enforce) company policies: The company should have policies in place regarding confidentiality of user credentials – especially considering new constraints around SA’s Protection of Personal Information Act. These rules should apply to everyone, including IT and security personnel. These policies should include strong password and authentication requirements. Make sure employees understand these policies − and the reasons they exist − and adhere to them so they can do their part in ransomware prevention.
Use software as a service for applications: Using applications that are company-sanctioned can go a long way toward preventing ransomware. That’s especially true when it comes to using file-sharing applications instead of e-mail attachments. This strategy mitigates or potentially eliminates malicious attachment phishing attacks, so it’s worth a look.
Talk about macros: Users unfamiliar with macros in Microsoft 365 and Adobe PDF documents may automatically click on an “enable macros” button in a malicious attachment. That’s a big mistake that opens the door for ransomware. Document-based malware incidents are reported to be very much on the increase. This is where malicious documents work much like executable programs, including the ability to run processes and install other code on systems. It’s also worth considering using non-native document rendering for PDF and Microsoft 365 files in the cloud to stop this practice, as these desktop applications may have unpatched vulnerabilities that are ripe for exploitation.
Make incident reporting easy: No one wants to be the person that clicks on a malicious attachment or link. It would be easy to beat yourself up if you’re the one. And it would be easiest to avoid the embarrassment that comes with reporting it. That’s why employees must understand that they − and everyone they work with − are the victims in these cases. Companies need to ensure everyone feels comfortable reporting any security incident. In a nutshell, clear reporting procedures are required.
Physical security also matters: Make sure everyone understands the company’s security policies concerning facilities and devices. A lost or stolen laptop that lacks a login password is an open invitation to accessing the network. And stolen credentials in the hands of a hacker can only lead to disaster. Everyone needs to understand that devices, badges and credentials must always be kept secure.
Plan for recovery: There isn’t any way to be 100% certain an organisation is safe from a ransomware attack. Ultimately, the best defence is to ensure the company can recover if it happens and that starts with backup and disaster recovery planning and solutions
Photo by Craig Whithead article by www.itweb.co.za