Cybercrime and the threat from within
Are you protected from the insider threat of cybercrime?
In this article Anthony Rance, Partner at Weightmans, shares guidance on how to put robust policies in place to protect your business.
Startling figures (taken from research conducted by global cybersecurity outfit Kaspersky* into more than 5,000 businesses worldwide) found that the majority of businesses believed their biggest weakness in protecting against cybercrime was their own employees. Carelessness and a general lack of knowledge were identified as key risks.
In addition, the top three threats to organisations identified by the research all had a ‘human factor’, namely (1) inappropriate data sharing via mobile devices, (2) physical loss of mobile devices and (3) inappropriate IT resource use by employees.
So, how can you address the vulnerabilities posed by your own staff?
A key element of keeping your systems safe and secure is educating staff so that they are aware of the correct procedures and adopt the right practices. Whilst you may have some employees who would know what to do if they saw a suspicious email, it is dangerous to assume that this will be the case for all individuals within your business – especially as email phishing scams are becoming ever more sophisticated. This is where a policy document and training come into play. There are also simple practical measures that can be considered and put into action.
A good starting point for any policy is to identify and explain the threat landscape that may be faced by employees on a daily basis. This can include:
- External threats, such as unexpected emails (which may have malicious code embedded within hyperlinks and attachments); suspicious calls (which may be seeking to extract sensitive information); and hacking (whereby someone is seeking to gain access to your network); and
- Internal threats, such as intentional or inadvertent data breaches by colleagues, or the misappropriation of confidential information for commercial gain.
IT and email
Once the potential cyber-threats have been identified, your policy should then turn to the various ways that employees can guard against those threats.
One key aspect of a robust cybersecurity policy is to set out what IT controls are in place – employees should understand and adhere to those controls. For example:
- Software should be kept up to date and employees should be made aware of the importance of allowing updates;
- Email security should be a high priority, not least because (as noted above) an e-mail embedded with malware can be a doorway for cyber criminals to gain access to your network. Employees should also understand the dangers of innocent error and carelessness when using e-mail. For example, data breaches can occur easily when the “auto complete” function in Outlook is used when filling out the ‘send to’ field on an email. Over-reliance on this function is a common source of inadvertent breaches, when sensitive data is accidentally (and quite innocently) sent to the wrong recipient; and
- Employees should be careful about password use, making sure passwords are not recycled or widely shared and that they are changed regularly.
Other simple steps can also be set out in the policy, for example encouraging employees to lock their screen when they leave their desks.
Where do you store your customer data? Is it held in a secure customer relationship management (CRM) system or are you keeping it in an Excel file on a shared company drive? Who can access that customer data within your business and how?
Precisely how secure your data is will depend on how it is held and accessed. In many businesses, it may be alarmingly easy for an employee to download sensitive data and to find a way to get it out of the building. For example, can they print it, download it to a USB device or perhaps e-mail it from a web-based email account such as Hotmail or Gmail?
Any IT security policy should therefore:
- Regulate the use of USB ports, with specific sanction needed before data can be downloaded or uploaded;
- Limit access to file sharing websites and web-based email accounts (ensuring that staff can only email from a company-controlled account); and
- State clearly that company e-mail accounts remain company property and may be subject to monitoring.
It is noted above that your employees should change their passwords regularly. This applies to any remote devices as well as desktops and laptops: have different passwords for different devices to help keep accounts secure if one password is ever unlocked.
For additional security, “two-factor” or “multi-factor” authentication access to devices can be used when working remotely. This is a method whereby a user is only granted remote access to a device or network if they confirm their identity by presenting two (or more) pieces of information. For example this can include something the user knows (e.g. a pin), something the user has (e.g. a bank card) and a physical characteristic of the user (e.g. a fingerprint). Another common two-factor authentication process involves logging in with a username and password coupled with a unique code sent to a mobile device.
Passwords and device security can avoid information falling into the wrong hands if a mobile or laptop was to go missing or be stolen. But how else do you manage your devices when they are out of the office? Having in place procedures around access to unsecured networks, such as working at home, can provide further protection and control around what data can be accessed remotely.
Employees need to be very careful about unguarded use of social media. Whilst many employees will have their own personal social media accounts that have nothing to do with work, they should be aware that significant information about them might be publicly available through such accounts. Hackers are becoming ever more targeted and sophisticated with their efforts and an unrestricted social media account can provide a wealth of information to a determined cyber-criminal. Any policy should flag these risks.
Education and information sharing
Finally, there should be a continual process of education and awareness about the latest cyber-threats, so that employees remain vigilant and wary at all times. For example, one recent threat that has been increasing in prevalence in recent years is the so-called ‘Friday Afternoon Fraud’. This is a type of fraud that is common in the legal industry, since hackers often target the transfer of funds that occur as part of a conveyancing transaction (with the name of the fraud coinciding with the time when most property transactions take place). However, the concept is not unique to the legal industry and any payment of money from one party to another can be intercepted and diverted in the same way.
The fraud involves a hacker emailing the unsuspecting purchaser from an email account that looks like the intended recipient (e.g. their lawyer) and requesting that they transfer the money to a new account – which is actually an account belonging to the fraudster. Unfortunately, before the victim has realised what has happened, the money has often already been laundered through several accounts and has become untraceable (another reason to perpetrate the fraud on a Friday, since it gives the fraudster the weekend to misappropriate the funds).
As with most frauds, an awareness of the risks and increased vigilance by employees can go a long way to guard against becoming another victim. For example, if payment details do suddenly appear to change, it is often sensible to call and double check with a known contact before transferring any money.
If you’re looking at ways to ensure your business has a comprehensive plan in place to protect your business from cybercrime contact us today.
Source: The human factor in IT security https://media.kasperskycontenthub.com/wp-content/uploads/sites/100/2017/11/10083900/20170710_Report_Human-Factor-In-ITSec_eng_final.pdf