Insider Threats: The New Front in the War on Fraud
Posted November 23, 2016
Insider risk has long been the elephant in the room when it comes to corporate data breaches. While the headlines focus on shadowy hackers and international cybercrime rings, the truth is that a surprisingly large percentage of attacks are made possible because of employee mistakes or deliberate malfeasance. PwC’s Information Security Breaches Survey 2015 revealed “Internal Accidental” to be the biggest single source of breaches (26%), beating organised crime (23%) into second place. The recent compromise at UK operator Three has highlighted the problem yet again.
Organisations need to respond by finding more effective ways to authenticate their employees. If they don’t, this blind spot in their cybersecurity has the potential to overshadow even customer-targeted fraud.
A Growing Threat
The Three breach exposed the details of 133,000 customers, which attackers had allegedly obtained to request and then intercept upgrade devices. They got this information from a database accessed via an “authorised login”. This means they either had someone working on the inside who accessed the info; or else they harvested those credentials remotely by sending a key member of the Three staff a malware-laden or traditional phishing email.
In fact, there are many ways that organisations can lose control of employee accounts, putting them at risk from external hackers:
- Staff sharing passwords across multiple applications
- Weak, easily crackable/guessable passwords
- Phishing attacks
- Devices compromised via insecure Wi-Fi networks
- Other malware that intercepts user log-ins
Three is by no means the only victim of this kind of threat. There are signs that Tesco Bank could have been breached in a similar way, leading to customer accounts being raided of an estimated £2.5m in a “systematic, sophisticated attack”. Bangladesh Bank employees are thought to have been monitored for some time before hackers stole credentials for payment transfers, leading to an audacious $81m heist. The CISO of Dutch bank ABN-Amro was so concerned about security lapses by staff that he claimed in September he was considering sending in undercover staff to reveal bad practice.
A Tricky Balance
The bottom line is that remote web access for internal business applications is a major risk for all organisations today. Managing that risk while maintaining the undeniable productivity benefits it brings is a tricky balancing act. Extra authentication steps such as one-time password devices aren’t practical for many businesses. And they sometimes don’t protect against certain attack anyway. They also run the risk of negatively affecting user productivity and end up turning staff against the organisation.
The challenge is even greater when one considers the vast and growing mobile workforce many firms have today. Many of their BYOD devices aren’t managed appropriately, introducing extra risk. And let’s also not forget those potentially insecure entry points into the corporate network managed by contractors and other third parties. Some of the most damaging breaches in history, including US retailer Target (70m customers) and the Office of Personnel Management (22m federal employees) came about because contractor credentials were stolen.
Organisations need better visibility and control over employees and partners accessing internal resources via the web. That means combining device info, user identity and behavioural data to profile users in order to better spot anomalous behaviour. It must be transparent and friction-free but effective enough to monitor identities across channels, devices and locations in real-time. After that, it’s down to the individual organisation to tweak the system according to its risk appetite and particular circumstances/culture.
Customer fraud is a huge and growing problem today. But with access to your organisation’s most sensitive databases, attackers can potentially cause even greater damage.