From BA to Equifax, WikiLeaks to GuptaLeaks, Hillary to Ivanka, leaked information as a result of indiscriminate email use or careless employee behaviour is giving organisations and politicians around the world sleepless nights.
By Steve Herridge, Mimecast cyber security specialist
2018 research conducted by Mimecast and Vanson Bourne found that nearly four in ten global organisations reported an increase in internal threats, driven by careless employees, compromised email accounts or malicious insiders. Locally, the risks posed by internal threats are no less severe.
Careless, negligent users create vulnerabilities
In South Africa, 37% of respondents to the Vanson Bourne report experienced an increase in internal threats driven by careless employees, and 41% are not confident that employees can identify and defend against email-borne attacks. Alarmingly, 38% of respondents lacked confidence in their security systems’ ability to defend against attacks driven by carelessness and negligence.
Often, these attacks are unintentional and occur because employees don’t understand the organisation’s security policies and rules – or the dangers of circumventing them. These types of threats can be as damaging to corporate reputation and company finances as corporate espionage, making it even more important to prevent accidental leakage of information.
Examples of careless or negligent behaviour include:
* Clicking on suspicious links in emails or opening dodgy attachments that expose the organisation to malware;
* Copying dangerous links into work documents;
* Copying sensitive data onto a flash drive that gets lost or stolen;
* Installing and accessing software that has not been approved by the IT department; and
* Accidentally sending sensitive information to the wrong contact.
A lack of on-going cybersecurity awareness training is compounding the risk to organisations. The Vanson Bourne report found that only 12% of South African firms continuously train their employees to spot cyberattacks. Regular and effective internal security training is essential to ensure employees know how to identify email threats and that they are aware of the company’s security procedures and policies. The only way to change security behaviour is to empower employees with the knowledge of what to do and make them care enough to improve and do what is right when it matters.
Technology also plays an important role: implementing robust security solutions that can scan attachments and URLs for malware, malicious links and URL and email address spoofing, and automatically detects and deletes infected emails helps to mitigate security risks related to employee behaviour.
Recently, threat intelligence has emerged as an important weapon in the fight against internal threats. Having accurate, actionable intelligence allows organisations to be proactive in preventing these types of threats, rather than simply reactive. Good threat intelligence further enables organisations to understand insider threats, learn from them and use this information to prevent similar incidents from occurring in future.
Even the CEO’s account can be compromised
Security risks arising from risky behaviour are not confined to lower-level employees. The Vanson Bourne report found that 31% of global CEOs have accidentally sent sensitive data to the wrong person, and one in five found that a C-level executive had sent sensitive data in response to a phishing email in the past 12 months.
Organisations also lack confidence in their ability to protect against internal threats: 38% of South African firms were not confident that they could protect against internal threats driven by careless employees, and 27% felt vulnerable against internal threats driven by compromised accounts.
In many cases, affected individuals are unaware that they’ve fallen victim to an impersonation attack until it’s too late. Sophisticated email or URL spoofing techniques trick unsuspecting users into believing they are communicating with a legitimate employee or supplier or visiting a trustworthy website. Sensitive information is readily shared with hackers, and fake websites easily download malware onto the corporate network.
The risk is elevated when most social engineering emails don’t contain any malware. Spoofing attempts often go undetected since most email security systems can’t detect the risk inherent in such emails. Adequate on-going training is the organisation’s best defence against such attacks: by making employees more aware of these risks, it is easier to instil a culture of care that puts the organisation’s security first.
Protecting against malicious intent
“Never ascribe to malice that which is adequately explained by incompetence” as the old saying goes. But in the modern context, organisations have no choice but to protect against malicious insiders. These are employees that are fully aware that their actions can damage the company and have the intention of profiting personally from leaking, stealing or compromising confidential company data or systems. Thirty-six percent of South African firms are not confident that their security systems could protect them against attacks by malicious insiders.
Technology tools that provide protection against the malicious leaking of sensitive company information are a first line of defence. In particular, tools that can help prevent the accidental or intentional exposure of confidential information by applying data leak prevention policies to internal and outbound emails can quickly isolate and contain malicious intent.
Mimecast’s Internal Email Protect, for example, gives organisations the power to automatically reach into a user’s inbox to remove infected or risky emails, while admins can manually monitor, search for and remediate emails via a dedicated dashboard.
Organisations’ greatest threat in the fast-changing world of cybersecurity is – and probably always will be – their employees. By taking a practical approach to protecting against internal threats and prioritising effective and on-going awareness training, organisations create a powerful first line of defence, protecting their systems, their data, and their reputations.