Those who believe walls are the best security are forgetting one critical detail: insiders. Employees, partners, and contractors can wreak more havoc than any outside hacker. And, if you consider phishing an insider threat, as many security experts do, suddenly the insiders become your biggest security nightmare.
There are more outsider attacks because bots hammer at your firewall all day, every day. But, says Dodi Glenn, vice president of cyber security for PC Pitstop LLC, an Internet-based PC maintenance and security firm in Sioux City, Iowa, "The insider typically has greater access to sensitive information, and a better understanding of internal processes." You don't give outsiders access like that, but any spies or moles in your company already have access to your confidential files.
Insider threats tend to be 90 percent inadvertent (sharing passwords, falling for phishing emails, mishandling confidential documents), but the other 10 percent does the most damage.
Don't underestimate the phishers, says Stu Sjouwerman, CEO of KnowBe4 LLC. "Over the past five years, cybercrime has gone pro,” he says. “The average phishing landing site is up for only six hours. They get what they want, then move on. Unfortunately, it takes about six hours for AV products to be updated to handle those new phishing sites, so attacks sail right through."
Sjouwerman, whose Clearwater, Fla., company provides security awareness training and an integrated phishing platform, says training can greatly reduce phishing success. "It all starts with policy, procedures, and awareness. Most companies fail on all three fronts. There's a lucrative opportunity for the channel in training and testing." Moreover, says Sjouwerman, "Most companies need to at least double their cybersecurity budget. It's usually at 4 or 5 percent of their IT budget and it needs to be 10 percent."
Fatih Orhan, director of technology for Clifton, N.J.-based Internet security provider Comodo Group Inc. and the Comodo Antispam Lab, addresses insiders. "Protection depends on two key elements. First, authentication and authorization, then proper procedures defined and applied in order to maintain the former." He understands the level of difficulty is pretty high. "They have so many other priorities and such small IT departments that security moves lower down the ladder of priorities. Managed services providers are a viable option to help."
Tools alone don't do the job, says Orhan. "There should also be the implementation and stringent application of the policies and procedures which are necessary to offset threats from the inside."
False Sense of Security
According to John Thompson, director of systems engineering at Carlsbad, Calif.-based cloud security service ThreatStop Inc., "Folks have a real false sense of security because they have some kind of AV. But companies often don't have centralized management to monitor and disable credentials, so people still have access when they leave. Don’t forget patch management, and don't rely on the receptionist/IT person as many small companies still do."
Even the idea of insider threats causes small businesses problems, says Thompson. "You think you know everyone,” he says. “The owner probably interviewed them. Often everyone has admin rights, so it's always a balance between usability and security."
Worse, technology can’t mitigate many threats, says Glenn. "What software will prevent an employee writing out by hand confidential information? None that I'm aware of. Defending against insider threats is being able to identify malicious intent."
Glenn outlines five best practices for handling insider threats you can discuss with clients or use as part of their security training:
- Hire trusted employees and do background checks.
- Manage negative issues quickly to prevent an employee from becoming irate enough to sabotage the company.
- Monitor and record what employees do on the network.
- Educate and train employees to look for suspicious behavior, such as co-workers threatening to do nefarious things.
- Implement user access and control restrictions across the network. For example, there is no reason someone in customer service needs access to bank accounts.
You can also make use of an FBI brochure on detecting and deterring an insider spy at www.channelpronetwork.com/FBI.