The insider threat, the hardest cybercriminal to keep out

The internal “spy” – the insider threat

The hardest attack to defend against in cybersecurity.

There are three types of spy

The accidental spy – the person who thinks it is OK to bypass the security systems put in place to protect the organisation. Those who think the policies do not apply to them:

  1. I am the best sales person and those policies will slow me down,
  2. I am the CEO and I need this technology to make my job easier, less complex but it has not been tested in the organisation. “Just do it”
  3. I am the CIO and all of the other CIO’s have the newest gadget, so it must be OK

The incompetent and / or silly spy – the person who has been targeted by a social engineering attack and has fallen for the bait:

  1. Opened that email attachment, clicked that link.
  2. joined that Facebook group without checking their security settings.
  3. opened the video on Messenger
  4. Tried to win that Bunnings / Home Depot voucher

Finally we have the disgruntled or disappointed employee, the most dangerous – the destructive spy:

  1. The sales person who is leaving and takes a copy of the CRM, because they think they are entitled to it.
  2. The employee who has left who still has access to the system.
  3. The outgoing / fired IT person who has full access to the system and has put in back doors so they can continue to get in and do a number of nasty things.

Protection against the internal spy, comes down to policies, procedures and processes.

Policies are applied to all people in the organisation, if not adhered to then repercussions need to be in place

Procedures need to be created so that everyone knows, not only their own jobs, but parts of other staff members jobs as well. They need to be documented, distributed and authorized by management. But, more importantly, they need to be followed.

Processes need to be put in place to ensure that things are done and done the right way every time.

Although the insider threat is one of the hardest attack to protect against, there are still ways to reduce the risk.

If you are not sure then talk to someone who can help.

What do you think?

Am I correct?

Make a comment on this article.

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He was Runner up in the 2017 worldwide Cybersecurity Educator of the Year award and has been nominated for the 2018 Cybersecurity Educator of the Year award. 

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.  

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.  

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.  He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

“She’ll be right”, is not cyber event protection!

A cyber event is not a punch line.   It is a serious effort to derail your organisation.

Cyber event protection?

If an attack is intentional then you need to manage the risk.   If the attack is accidental or random then you have to understand the implications.

Understanding what is happening in your industry, your supply chain or other areas of the digital world is important.

The implications to your organisation could be a flow on effect of a cyber event on the other side of the planet.

To us humans it is 10,000 kilometers away in the digital world it is just a click.

Our understanding of the digital world for most organisations is mainly focused on client management, communication and service delivery.

CRM, sales, marketing, email, data and information are all woven into the fabric of improving the bottom line.

What can we do with the tools available without spending too much money but with a significant return on the money invested in the organisation.

10 years ago any business who was on the cutting edge of technology had the ability to multiply their revenue by a factor of 10.

Today everyone is using the same products and services to improve the bottom line.

Technology is no longer the multiplier that it use to be.

But, security of that technology is!

The news of significant hacks like Ashley Madison, Target, Yahoo and Equifax have created startling headlines but have they changed the attitude of business organisations world wide?

No they haven’t!

The problems with raising awareness to the true cost of a cyber event is not understood by most people.

“It will not happen to me” or the colloquial response of Australians – “she’ll be right” significantly reduce your ability to handle a cyber event and to come through one with the organisation intact and still functioning.

Making the simple attitude change, “it could or may happen to me”, has a significant impact on any organisation.

The change in mindset, a couple of words in a statement, starts people down the road to better protection.

Isn’t it about time that you made that change?

Once you have made that change, questions and answers start to be heard.

  • How about we put a policy around this process.
  • How about we put processes and procedures around the database.
  • How about we put together a disaster recovery plan.
  • How do we get back to business as usual – lets put together a business continuity plan.
  • How about we educate our troops so they can recognize an attack.
  • How about we invest in new technology.

All good ideas that would never come about if we believe we do not have a problem.

If we persist with an attitude of “she’ll be right” I can guarantee that we will not.

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He was Runner up in the 2017 worldwide Cybersecurity Educator of the Year award and has been nominated for the 2018 Cybersecurity Educator of the Year award.  

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

What every CEO and CIO should know about cybersecurity

The problem with cybersecurity is it is not sexy.

In most cases it is down right boring.

Although not sexy and down right boring it is still something that every CEO, manager, owner and board member has to focus on.

With all of the automated attack vectors available to the cyber criminals, we can no longer say we are not a target. We cannot say we have nothing worth stealing.

The more and more reliant business has on the digital world the greater the chance that a cyber event will cripple the organisation.

What are the main things that every management type needs to focus on when it comes to prevention of a cyber event.

Here are a few!

The cost of a cyber event.

The cost of a cyber even can range from lost time and functionality within the organisation to more money than the organisation can find to pay for the breach.

Cryptovirus is an example of lost time and functionality. If you do not have a functioning and tested backup of the data, you have to rebuild the offending device but you will also have to also replicate all of the data.

A full blown breach by a dedicated black hat hacker can steal everything and then use your system as a platform to target your clients, suppliers and staff. When that happens you realize that you are NOT too small to be a target

How they get into your system

The go to weapon of most cyber attacks is social engineering. Two parts of a very effective attack strategy. The technology to effect change, follow a link to an infected website, click on an ad in social media or open an attachment in an email, combined with getting you to trust them where you let them in.

Either way they are now in.

Risk and problems just compounded.

Simple ransomware for instance, the initial encryption of data is only one of the stages of the attack. What about stage 2,3 and 4.

Wannacry showed us that a combination of 2 attack vectors allowed a single infection to traverse a whole network. One computer is a problem for any organisation. All of the computers is a nightmare.

The protection challenges

In most situations managers, owners, executive and board members do not understand the digital realm. Risk management of data (a critical component in today’s business world) is often overlooked and considered an ICT problem.

Its not! Today’s digital security challenge is everyone’s issue and the sooner it gets noticed as a business risk and treated as such the faster we will see a reduction in attacks.

From the largest organisations to smallest single entities, we all keep critical data in places that are easily accessed, relatively unprotected and mobile.

What are you doing to manage the expected cyber events that could cripple your organization?

There is no single, simple fix. If there was everyone would be safe.

It is a complex issue and one needs to dedicate some time, money and expertise to understanding the issues and risk associated with a cyber event.

Come to one of my intensive workshops it will open your eyes on your business requirement to be safe as an organistion.

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.
He was Runner up in the 2017 worldwide Cybersecurity Educator of the Year award and has been nominated for the 2018 Cybersecurity Educator of the Year award.  
He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   
He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

Can you be a great CEO by ignoring Cyber?

The digital world, the cyber world, is creating huge problems for business.

People like me and the security community have been screaming for the last 10 or so years about the problems, issues and dangers that the digital world delivers to business.

We have shown numerous times that the digital realm is a huge problem for anyone who thinks that:

  • they are not a target,
  • have nothing worth stealing or
  • cyber security is too expensive.

Time and time we have seen data breaches and ransomware attacks that have crippled organisations, both large and small.

We have seen the most secure people in the world get breached time and time again.

Still no one is listening!

We are told we are being scare mongers, unrealistic, even calling our reputations into question. BUT, we still see the problems and although we are screaming we cannot convince people to do something about it.

Like me there are a number of people or organisations who are more interested in education and the process of education and training than selling tin (unnecessary technology) to a business.

We are more interested in raising awareness, and raising awareness is where we need to start.

As a CEO, manager, owner or board member you already have a handle on risk management. You live and breath cashflow, revenue streams, management teams and HR, it is all part of the process of being in charge. All this is taught in managers school or more importantly the school of hard knocks.

If you don’t learn these basics then you are going out of business. Slow or fast you will eventually go out of business.

There is a saying that “you don’t know what you don’t know”, in todays business world that is a specific reference to the digital realm.

We are all focussed on new and shiny, even I get caught up in the hype of new “whatever”. Most of them have a digital component incorporated into that new shiny thing.

We seldon look at the complex systems that make that part of the digital world work for you. It is complex!

As a CEO you need to understand the risks that cyber delivers to your organisation. Where do you get that understanding?

In most organisations business security lands smack bang on the desk of the IT section, the person who knows computers or the risk compliance officer.

They do not know what to do, they need guidance, direction and most importantly they need the AUTHORITY to enact change.

Business security is a very specialised area of expertise. You need to enact a framework.

You need to spend money wisely.

You need to continiously work on making the organisation more secure. Today we are more secure than yesterday!

Without understanding the risks, implementing change and giving a responsible person the authority to make change you are ignoring the Cyber Realm.

Without enacting a framework, you are at the mercy of the next cyber event.

Without a framework for business security you are not a very good CEO. That would really hurt.

Roger Smith is a highly respected expert in the fields of cyber crime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cyber security) on Cyber crime, Cyber security and the hacking techniques used by the digital criminal.   

He is an Amazon #1 selling author on Cyber crime with his best selling book, Cyber crime a clear and present danger, going to number one in 3 sections of Amazon.   

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cyber crime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

Cybersecurity is all about Infosec!

“Using smart technology is not smart unless infosec procedures are set in place.” Laith Alkhouri

We are inundated with shiny and new.

The newest mobile device, the newest computer, the newest operating system, the newest application or apps, all that newness.

All of that smart technology!

Individuals and organisations often forget, in the rush to get things to market, the first reiteration of shiny and new can have some serious flaws and issues.

We forget it too!

Going back a couple of years when everyone was jumping on the band wagon of “you need an app for that“, some of the NFL teams released apps for you to track you favorite team, keep up with the stats and buy their merchandise.

They forgot that a financial transaction needed access to either credit card information or bank account details.   These transactions were in plain text in transmission as well as when stored on the device.

No encryption.

If you purchased that jumper then you had a really good chance of having your financial details stolen.

To stop themselves from being sued they put all of the onus on everyone using the system through a comprehensive waiver.   You agreed to the terms and conditions probably without realising it, you agreed when you installed the app.

The way all of the software companies manage their apps are the same.   You want to use the app then it is your problem because you agreed to the terms and conditions.

The legal beagles have not caught up with this yet.   As a user, are we not entitled to have some semblance of security and safety when using a product.

Are we not entitled to sue someone when using their product and something happens?

When did that change?

I suggest that when you install your next app that you have a look at the terms and conditions before you say yes.   In most cases you have no rights what so ever if something is stolen, according to them.

Oh look something shiny and new, I just have to have it!

 

Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one in 3 sections of Amazon.   He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

A business security framework for the cyber insured

The introduction and subsequent uptake of insurance focusing on “cyber” have shown that the insurance industry is serious about protecting the assets of businesses all over the world.
The level of protection is dependent on the policy, your business requirements and also how much protection you need for your business.
Insurance without looking at increased protection however, will not work.  A breach would / could put you in the situation where you are not covered.
If you do not get your business security and protection correct then you will be in a situation where a cyber crime against your business will not be covered under your insurance policy
Here is a basic framework that aligns with most cyber insurance policies.
  1. Technology.  There are a number of areas where technology investment is paramount.   Here are a few
    • Router, modem, firewall – get the best you can afford.   Definitely get rid of the system supplied by the ISP or the shop bought one from a home retail shop.  As a level of protection they will not protect your organisation.   Minimal spend should be around $600 for a small business up to more than $20k for a large organisation
    • End point protection – 2 things about end point protection, they will catch malware and suspect applications because, like us the hackers are inherently lazy and use old known code.   The second is doing a regular scan, this will allow systems to catch up with malware that has been recently discovered.
    • Wifi – access to your wifi allows access to your systems, whether it is set up to have access or not.   Once again spend a little and invest in the best you can afford.
    • Encryption – if you are collecting staff, user, client and financial information then it need to be protected from ease dropping with encryption.   Encryption needs to focus on data at rest, where and when it is stored as well as in transit.
    • Patching and updates – operating systems – do it, applications – do it, websites – do it, tablets and phones – do it.   Absolutely critical to protecting anything digital in today’s world.
    • Up to date operating systems and applications – if you are using old versions of MAcOS, windows XP, android – replace them ASAP
  2. Management.

    • Policies procedures and processes – policies are very important as they tell your staff where you stand on passwords, internet usage, email usage, education and training.   Make sure everyone reads and understands them.   Procedures allow you to specify how things are done so that anyone can walk in and do a task without supervision.   Processes will also allow systems inside the organisation to be implemented as a standard
    • Audit and reporting – it is no use collecting information from the system if no one is going to look at it.   You need to implement a standard process that audits the information and reports it to management.
    • Logging and alerts – all systems have some level of logging.  In a small organisation daily checks of individual logs can be done, in larger organisations there is a need for a central location and a system that alerts staff to issues coming from firewalls, intrusion detection or AV.
    • Password management – in today’s world passwords are your passport to the digital world so they have to have 3 components – must be more than 10 characters, must be unique for each location and must be complex, having letters, numbers, capitals and symbols.
    • Education and training – there is a 300% ROI on education in an organisation.   Your staff are the first and last line of defence, when the technology fails an educated user will be the last line of defense
  3. Sustainability
    • Disaster recovery – when it alls goes to custard (and it will) you better have a way back.   This is what disaster recovery is all about.   It doesn’t matter if it is physical (flood, fire), digital (cyryptovirus, failed hard drive) everything that is stored digitally is vulnerable.
    • Risk management – you need to way up the risks of a issue impacting your organisation.   The higher the risk the more you need to mitigate it.   If you use the NIST framework to manage your risk and exposure it will benefit the process of risk management
    • Backups – everything that is important need to have a backup made of it.   If it is business critical then the risk of something happening needs to be weighed up against mitigation and cost.   Virtual imaging backup software is a huge solution to this priblem
    • Business continuity – what happens if the district where you office is locked down and noone can access the office.  What contigencies have yo got in place.
  4. Compliance – if you are collecting PII (personal identification information) then you will have a compliance requirement.   If you are collecting financial information then PCI DSS compliance requirements come into the situation as well
 So insurance is all very well but unless your organisation invests in the additional components of your cyber protection you may find that the cryptovirus that has encrypted all of your data is not covered.
If you want to know more get my book or ebook
Roger Smith is the CEO of R & I ICT Consulting Services,(http://rniconsulting.com.au), Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime (http://www.amazon.com.au/CyberCrime-Clear-Present-Danger-Security-ebook/dp/B00LEJTN5Y), author of the Digital Security Toolbox (http://www.rogersmith.com.au/roger/toolbox/) and the SME digital security framework (http://smesecurityframework.com.au/csb/).   He is a Speaker (http://www.rogersmith.com.au/roger/roger-smith/), Author, Teacher and educator (http://securitypolicytraining.com.au/cybersecurity-awareness-introduction/) on cybercrime and how to protect yourself from the digital world.