The massive data breach suffered by Tesla in May is proof that any organisation – whatever its size, fame, and resources – remains at risk from the ‘insider threat’. The incident involved two former staff members leaking the personal information of 75,000 employees to German newspaper Handelsblatt. This followed an earlier incident reported by Reuters in April that Tesla workers had shared sensitive images recorded by customers’ vehicles.
Clearly, no business can afford to be complacent about the harm that can be caused by the actions of just a single individual – whether intentionally or accidentally. According to the findings of Apricorn’s latest annual survey of security leaders within large UK companies, organisations are well aware that employees are continually exposing sensitive data to loss. However, they don’t appear to be taking the necessary measures to control the risks.
The danger from within
Overall, respondents to the survey believed that employees had been the cause of 70% of the data breaches suffered by their organisations. This is close to the figure stated in Verizon’s 2023 Data Breach Investigations Report, which found that the ‘human element’ is a factor in 74% of total breaches.
There are two sides to the insider threat: malicious and negligent. Negligence tends to be more common. However, 20% of the security leaders surveyed by Apricorn said employees with malicious intent had been behind a breach at their company.
Remote and hybrid working may be ingrained as business as usual these days, but issues with the model remain. Almost half (48%) of respondents admitted their organisation’s mobile or remote workers had knowingly exposed data to a breach over the last year.
When employees are working away from the office, they tend to be more likely to let basic security hygiene lapse – for example hopping onto unsecure public wifi networks, delaying software updates, or accessing corporate resources using personal devices. Remote workers are also physically removed from the security teams whose job it is to have oversight of endpoints, and provide guidance. This decentralisation may be fostering complacency within the workforce, while simultaneously leading to a lack of control and visibility within IT.
Organisations also need to concern themselves with the behaviour and integrity of employees working for their partners and suppliers. In Apricorn’s survey, 21% of respondents said their company had experienced a data breach as a result of third parties mishandling corporate information.
The increasing reliance on digital services from third party providers creates vulnerabilities that attackers are poised to exploit, in order to infiltrate multiple companies, both upstream and downstream. This can have devastating effects, as highlighted by the August Met Police data breach, in which personal details of officers were leaked into the public domain. The incident was attributed to a hacker gaining “unauthorised access” to a supplier’s IT system.
Loosening the reins
Despite being aware that employees and other ‘insiders’ are not living up to their security responsibilities, security leaders don’t appear to be doing all they can to prevent data being compromised. This is particularly the case when it comes to BYOD. Only 14% of those companies surveyed by Apricorn that allow remote workers to use their own IT devices proactively control how they can access the corporate network and systems.
While attack vectors are becoming ever-more sophisticated, the simpler techniques continue to have high rates of success. Social engineering remains a favoured way of coercing employees into clicking on a malicious link, for example. Cyber criminals won’t stop preying on the tendency for humans to let their guard down or take short cuts. Why would they?
In this environment, security teams need to pay attention to building – or rebuilding – a security-first culture, in which every ‘insider’ understands their responsibilities around protecting data, wherever they are. They must be empowered to do the right thing, and held to account.
Eliminate shadow IT. Enterprises should make it a formal requirement that staff members only use approved devices to access corporate resources. This should be enshrined in well-defined and easy to follow policies, and enforced through software and hardware, for example locking down USB ports so unsanctioned devices can’t be plugged in.
Ramp up training. Education and awareness programmes must be continually refreshed as threats evolve. They should be contextual to ensure engagement, focused on the threats and vulnerabilities that are relevant to the business and the data being handled. The importance of reiterating basic best practice – such as how to identify phishing emails – cannot be overestimated.
Trust no-one. Applying the principle of zero trust prevents any user from accessing the corporate network, systems or resources until their identity has been verified. The approach assumes behaviour is risky until proved otherwise, demanding that every user request is reviewed and approved.
Embrace encryption. If data is exposed deliberately or accidentally, or an employee’s device is lost or stolen, encrypting all information as standard will render it unreadable by anyone without the decryption key.
Build resilience with backups. Every business should have a comprehensive backup and recovery strategy. This should follow the ‘3-2-1 rule’: have at least three copies of data, stored on at least two different media, one of which should be offsite. One copy of the data should be offline – for example on an encrypted removable hard drive that can be disconnected from the network. Automating backups will mitigate the risk of employees forgetting or executing the process incorrectly.
It is employees that form today’s enterprise security frontline. At the same time, adversaries are increasingly targeting individuals as a means of gaining access to networks and information. Complacency must not be allowed to creep in as staff and security teams become used to hybrid working. Even the most cyber-savvy employee will suffer a lapse of concentration from time to time – while the ongoing cost of living crisis may make individuals more susceptible to scenarios where hackers offer payment for exfiltrating data, sharing credentials or planting malware. A layered approach where a focus on policy and people goes hand-in-hand with technology controls will ensure human-led risks are effectively managed in an increasingly distributed working environment.