When Steve Ingram recently received an official-looking email stating that he’d been fined for speeding, he almost clicked on the link to see the photographic proof. Fortunately he realised in time that it was a fake – just like an email the previous week asking him to click on a parcel tracking link.
“It was a close thing,” says Ingram, PwC Australia’s national cyber leader, “so I can’t be too critical of other people.”
He’s worked in cyber security at PwC for a decade and the global consulting firm has state-of-the-art protection and rigorous annual training. Which goes to show how easy it is for a less-informed employee to unwittingly unleash a maelstrom of damage.
Such emails, containing malicious software to phish for passwords or corrupt computer networks, are just one example of the growing “insider” threat to organisations’ cyber security. Add carelessly lost laptops and contaminated USB sticks to deliberate leaks and sabotage – such as the recent data breach at online dating website Ashley Madison, and the need to focus on employees, contractors, suppliers and other insiders becomes apparent.
With the focus increasingly on protecting external security after the high-profile leaks at Sony in 2014 and the 2015 breach involving US federal personnel records, the internal human threat can easily be overlooked.
“By ignoring the potential for damage caused by malicious, negligent and compromised insiders and focusing narrowly on external threat actors, organisations are effectively locking the doors and leaving the windows open,” says Jason Rance, managing director at global risk consultancy Control Risks.
Malicious insiders are typically moved to act by a trigger event such as a disciplinary issue or being overlooked for a promotion and has one or more underlying motives says Rance. Financial gain is paramount among them and places a premium on the theft of data that can easily be monetised.
Ingram likens cyber security to defending a castle. The moat and walls are the medieval equivalent of an organisation’s firewall, anti-virus software and other technology barriers. But they are useless if a guard accidentally leaves a gate open or is bribed to lower the drawbridge or touches a disease-infected pig’s carcass flung over the wall.
“If people do the wrong thing, intentionally or accidentally, it doesn’t matter how strong the walls are,” he says. “And, as technology improves and firewall protection increases, I think the insider threat will also increase.”
PwC’s Global State of Information Security survey paints a disturbing picture of the growing cyber threat and the role of insiders. The 2015 annual survey of more than 9,700 IT, security and business executives found that detected cyber security incidents soared 48 per cent from the previous year to 42.8 million. The average financial loss per incident was up 34 per cent, to US$2.7 million.
Insiders were the main culprits. Current and former employees caused 65 per cent of insider incidents, and another 33 per cent were caused by current and former contractors, consultants and service providers.
Those statistics highlight that cyber security is no longer just a technology issue, says Ingram. It requires a comprehensive, integrated strategy across IT, HR, legal, security and risk – led by someone in the C suite. “Ask the head of IT about cyber security,” he says. “If they just say firewalls, be worried.”
Human fallibility often represents the easiest target for attackers to exploit. That phishing remains by far the most successful gateway to obtaining entry to internal systems is testament to this. In 2014, 72 per cent of phishing emails were sent during the working week, with 78 per cent crafted specifically to relate to IT or security topics. Invariably there will be someone who clicks and provides that first route in to the network, according to Control Risks research.
Careless staff may be the biggest insider threat, but a malicious current or former employee who deliberately hacks systems or steals data can cause huge damage. Ingram says HR’s cyber security role here is no different from attempting to prevent any other type of fraud – thorough pre-employment screening and on-going monitoring of behavioural changes in existing staff.
“Everyone asks me how to get ahead of the curve. The reality is the crooks are the curve.”
In assessing job applicants, recruiters should look at links to “countries of concern”, ideological values, recent or repeated minor criminal acts, significant financial concerns that are not being addressed and termination from employment for misconduct or fraud. These are red flags for high-risk employees, says the federal government’s Protective Security Better Practice Guide published last January.
For existing staff, HR needs to be alert to personal issues such as gambling, drinking, financial or marital problems and triggers such as redundancies, poor performance review, demotion or corporate restructures. Ideally, the company’s strong cyber security culture will mean that coworkers and managers of potential hacker employees notice and report the change in behaviour.
This article is an edited version. The full article was first published in the October 2015 issue of HRMonthly magazine as ‘Cyber threat’. AHRI members receive HRMonthly 11 times per year as part of their membership. Find out more about AHRI membership here.