Business security and data protection helps to prevent breaches and attacks from phishers and scammers, but how well does it work against your own employees? If a threat came from inside your organisation, would your business be protected? We’ve been looking into insider attacks, and how your company can stay safe and secure from internal threats.
What is an insider attack?
An insider attack is an attack made on your organisation from someone who has, or had, authorised access to sensitive data. This usually means the attack comes from an employee, a contracter, an ex-employee or ex-contracter. These attacks can be intentional, where an employee maliciously seeks to damage a business, or they can be unintentional, where an employee discloses data or information accidentally.
The results of an insider attack can be as damaging as an external attack. Businesses who fall victim to insider attacks can lose revenue and the trust of their clients, not to mention the financial cost of recovering after an attack. In cases where personal data has been leaked, they may also have to pay a huge amount in fines. For many SMEs, a successful attack can mean the end of their business.
Why are businesses vulnerable to insider attacks?
Businesses are particularly vulnerable to insider attacks because employees know your business far better than an external phisher does. Not only do they have authorised access, which means less time spent breaking into your systems (and therefore less chance of discovery), they also know where and how personal data is stored.
If you outsource some of your services, then the amount of people who have access to your systems increases. That means more individuals who have the potential to disclose client databases, customer directories and applications.
Accidental attacks vs. malicious attacks
Accidental attacks are the result of employees acting negligently with data. This could include releasing sensitive data outside of the company, or disclosing private information that pertains to the business in public (either in real life, or through social media). It could also be the loss of files, or devices belonging to the business that contain sensitive information (a business mobile or laptop).
Phishing emails can also be considered insider attacks. Although the phisher may be external to the company, the attacks are often facilitated by an employee. This could be through social engineering (being convinced to release data or credentials by a phisher) or through negligence (clicking a link in a phishing email).
Malicious attacks are the result of employees acting out against the company for some reason. This could include intentionally leaking data to a competitor, either for financial gain or for a future employment opportunity. It could also include releasing data to the public with the intention of damaging the business.
One of the trickier aspects of identifying malicious attacks after the incident is that perpetrators can argue that the attack was accidental. It can sometimes be difficult to prove that an employee acted maliciously in releasing data publicly.
How can businesses prevent insider attacks?
To help prevent accidental insider attacks, one of the best things that businesses can do is educate their employees. Ensure that everyone who has access to sensitive data is aware of phishing scams, social engineering, and most importantly, your company policies surrounding bank transfers and user credentials.If staff understand the kinds of attacks your business will be targeted by, they’re less likely to fall victim to them.
In preventing malicious insider attacks, things become more complicated, but there are some measures that you can put in place. Set up two-factor authentication for systems containing sensitive data, so that you need more than a username and a password in order to gain access. Another prevention method is removing ex-employees permissions and access to data as soon as they leave the company.
For malicious attacks that are perpetuated by current employees, you should think about who has access to company data. It’s unlikely that every employee needs continual and constant access to all of your sensitive data. Identifying which employees need access to each of your systems, databases, directories and applications, and removing access that isn’t required can help reduce opportunities for employees to act maliciously.
Tweet us @TranscenditUK
