Protecting a business from internal threat is a battle that breaks the traditional rules of warfare. Whilst with the right technology and security mitigations businesses can arm themselves against external attack, the internal threat must be fought with knowledge, data and insight. The reason being that internal breaches are often caused by human vulnerability, and while some will be malicious, in many cases, the internal threat is simply due to human error.
With the best will in the world, humans will always make mistakes, and there is no patch against that. Employees are unpredictable creatures and will be tempted to do silly things, make bad choices or simply make mistakes, irrespective of the training they’ve received and the security knowledge they’ve been armed with.
McAfee cites internal ‘actors’ (as it calls them) as being responsible for 43% of data loss incidents, half of which are intentional, while half are accidental. These internal actors include employees, contractors, and third-party suppliers, with a 60/40 split between employee/contractors and suppliers. A study by Vanson Bourne elevates the risk to 74%, with 42% of those threats coming from employees alone; and according to Verizon’s ‘2018 Data Breach Investigations Report’ over a quarter (28%) of attacks last year involved insiders. “Errors were at the heart of almost one in five (17%) breaches,” reads the Verizon report. “That included employees failing to shred confidential information, sending an email to the wrong person or misconfiguring web servers. While none of these were deliberately ill-intentioned, they could all still prove costly.”
Considering the healthcare industry particularly, last year it was the only industry where the threat from inside was greater than that from outside (56% internal versus 43% external). Human error was a major contributor to those statistics. In some cases, human error spilled over into malicious intent: employees were also abusing their access to systems or data, although in 13% of cases, this was driven by fun or curiosity, for example where a celebrity had recently been a patient.
The Information Commissioner’s Office routinely highlights the ongoing challenge of human error — or carelessness — through its data security incident trends reports. In the fourth quarter of 2017 alone, 957 data security incidents (which occurred in organisations across the UK) were reported to the ICO. Whilst not all of these were direct result of human error, incidents such as posting or faxing data to the incorrect recipient, emailing data to the incorrect recipient, a failure to redact data or failure to use bcc when emailing were all incident types that sat near the top of the list.
According to the ICO, the education, local government and general business sectors saw the most incidents last quarter, whilst the health sector saw a 21% rise in reported incidents. The education sector alone saw 12 un-encrypted devices lost or stolen in the last quarter of 2017, whilst the healthcare sector saw 11 go missing. This goes to show that even now, with widely publicised incidents that have been reported for many years, it is still not possible to achieve cyber security perfection. Carelessness, human error and simple mistakes will continue to persist.
In the face of rising cyber-attacks, as well as the perennial challenge of “the un-patchable vulnerability”, businesses first need to know what ‘normal’ looks like, so that anything abnormal can be detected early on. User behaviour analytics makes this possible: using machine-based learning to baseline what is normal for each employee, common trends will be mapped and any activity outside of these will be red flagged as a potential issue. So, while a few actions on their own can seem harmless, when put together and analysed, alarm bells might ring. For example, a user may login to the company intranet at a time that’s unusual for them, via an unrecognised device, and download a large amount of data to a USB stick. Each action on their own may seem innocuous, but when put together in such a chain it could be a warning that data extrusion is taking place.
But of course, where human error is involved, situations aren’t necessarily black and white. When the event itself isn’t malicious, there may still be a knock-on effect that either the user or the business haven’t properly considered. For this reason, user behaviour analytics is the most logical solution, where machine-based learning can be applied to mitigate all manner of risks, from the obvious to the unexpected. The more data, the richer the insight, and of course at Citrix we are in a position of strength, being able to access information about a user at every single data point.
I will be talking in more detail about this topic during my speaker session, “Protecting from the inside-out: the unpatchable vulnerability”, taking place at 10am on Thursday, June 7 at InfoSecurity Europe, Olympia, London.
