As we learnt during the last couple of years, for the cyber-criminals, a crisis merely presents an opportunity. In 2020, malware attacks rose by 358% and in the first quarter of 2022, Russia experienced nearly 3.6 million data breaches, an 11% increase*. Cyber-attacks rose by 125% globally last year* and industry analysts forecast that this upward trajectory will only continue throughout 2022.
With soaring inflation and huge economic instability, business leaders are focused on survival – the cost-of-living crisis is highly likely to see the criminals step things up a notch once more.
But who are the cyber-attackers? What do cyber-criminals look like today? Of course, the stereotype of a man sitting in a dark room, dressed in a black hoody is rarely the reality – but without knowing exactly who poses a threat, how can you defend your business?
Mention the word ‘cyber-attacker’ and most of us think of an unscrupulous, financially motivated threat actor or criminal organisation with the malicious intent to compromise an organisation’s security defences. However, in a rapidly changing threat landscape with an increasing attack surface, the cyber-criminals are effectively recruiting others to help them deploy their attacks – And alarmingly, this includes those closest to us.
What is an insider threat?
Today’s businesses operate in a world in which 95% of data security issues are caused by human error ^ and a single employee can provide access to millions of files.
As Techjury reported this month, 66% of organisations consider malicious insider attacks or accidental breaches to be more likely than external attacks. This mounting concern follows a 44% rise in the number of reported insider incidents over the past two years, costing on average, $15.38 million per event. +
Malicious Insiders may steal leads, intellectual property, trade secrets, financial information or sensitive customer data – they’ll use it for personal advantage; to gain a competitive edge or sell it to the highest bidder. In 2020, a former General Electric engineer was imprisoned for 12 months and ordered to pay US$1.4 million in compensation for stealing thousands of proprietary files to start a rival business. #
Fortunately, malicious insiders are relatively rare – unintentional data leaks are more common. A negligent insider may be an employee who forwards an email to the wrong person, unknowingly enters information on a fraudulent, copycat website or loses physical data – whether that’s a hard copy or stored on a lost smartphone.
Of the 15 billion spam emails sent each day,** – 30% are still opened by employees. ^^ Whilst staff training is important and has made employees more aware of downloading malware files, the criminals are quick to circumnavigate this – 76% of malicious emails sent in 2021 did not contain an attachment. ++ Sophisticated social engineering attacks are also moving away from email, using trusted internal communication channels, like Slack. Last year, 83% of organisations experienced phishing attacks. ** and it’s estimated that 70% go unreported. +
Credential leaks increased by a huge 129% in 2021.
Unintentional insiders also include those who share their login details – again, this can be intended or accidental. According to Techjury, almost two-thirds of breaches involve stolen credentials.
In addition to business email compromise or social engineering, our new hybrid working practices can also increase accidental insider threats. Outside of the office environment, without direct IT team visibility, employees feel more relaxed – it’s easy to overlook cybersecurity if your child just wants to pop onto your work laptop to do their homework, but they could unknowingly cause a devastating data breach.
Supply chain threats.
It is no longer enough to secure your own enterprise. A comprehensive cybersecurity risk management plan must assess all third and fourth parties who access your data.
Almost 20% of breaches occurred due to a compromise with a trusted business partner.
IBM’s Cost of a data breach report 2021.
Whilst smaller businesses don’t offer the bigger rewards for criminals, your business partners and their own suppliers are soft targets for an initial entry point. Masquerading as a legitimate user, the criminals move undetected through the network to the higher value, hard-target corporation.
Fourth-party suppliers are often SMEs with less stringent protocols and lack the security budget of the primary company – and the criminals are aware. In 2021, small businesses were three times more likely to fall victim. ## But crucially, under EU and UK GDPR, in the event of a breach, the primary company may still be responsible even if the breach occurred at a third-party – unless the enterprise can demonstrate sufficient due diligence. According to research by Gartner, 60% of organisations are now working with more than 1,000 third parties. At this scale, the supply chain considerably increases the attack surface.
How can cyber-attacks be prevented?
With the cyber-criminals infiltrating our internal teams, what can you do to minimise the risk of a cyber-attack and protect company data?
As even the most educated employees can make mistakes, the end-to-end zero-trust framework greatly reduces the attack surface and prevents lateral movement. With its guiding principle, “never trust, always verify, it requires all users trying to access an organisation’s network to be continuously authenticated and authorised before gaining access to applications, systems or data. After all, the traditional perimeter no longer exists, legitimate users may be in the building or accessing remotely from anywhere in the world.
Versatile monitoring software is affordable, easy to download and deploy, lowering the risk of a breach event. Although should the worst still happen, the financial impact will be considerably less. The IBM 2022 cost of a data breach survey reported that 59% of respondents who didn’t operate a zero-trust model incurred greater breach costs compared to those who did; an average of US$1 million. Further cost-savings will be made by avoiding a vast non-compliance fine.
Compromised credentials remains the most common cause of a data breach and have been the primary attack vector for the last two years. We all know that password security is crucial; despite knowing this, in the past five years, the most common passwords have hardly changed, such as 123. **
Two-factor authentication and auto-reset options can help reduce administration and by employing a password best practice policy, you can prevent credential cracking. Ensure these are over 13 characters, that they exclude personal information and ensure they are unique. The latter can be a sticking point so single sign-on software or secure password managers can help prevent your employees from taking the path of least resistance.
Comprehensive security screening for every potential third and fourth party may seem easier said than done. Strategically designed vendor security assessment questionnaires can be helpful when assessing a potential supplier’s processes, both at the start and throughout your partnership. It’s also a good idea to agree on a business continuity/crisis recovery plan with your supply chain.
One of the most important factors when partnering with third-party vendors is to ensure you understand fully how data is stored, and importantly, how secure IT asset disposal is handled when it is time to recycle or sell redundant IT assets.
When you, your third or fourth-parties process information, that data will pass through multiple devices, servers or cloud applications in multiple locations. Strong principles of data governance throughout the supply chain are essential, as is ensuring the ITAD chain of custody for end-of-life IT assets. All too often an IT asset disposal policy is a vital element missing from business contracts.
Every party must adhere to the same strict and secure data erasure policies for redundant IT equipment through professional IT asset disposition services. An expert environmentally friendly ITAD partner will ensure that each device that is sanitised receives its own IT asset disposal accreditation certificate. Should you ever need it, this provides the essential proof that you have undertaken due diligence and employ a complete supply chain risk management strategy.
Concerning economic instability, preoccupied business leaders and an ever-increasing attack surface has opened another large window of opportunity for the cyber-criminals. The dynamic threat landscape has seen a significant rise in insider ‘attacks’ in the past two years. Whether malicious or negligent, these often go undetected or unreported, with devastating consequences for our businesses.
In a world where the cyber-criminals are effectively recruiting our employees and business partners to help them deploy a cyber-attack, knowing who poses a threat is essential.
Deploying the zero-trust model, maintaining effective password best practice and establishing a robust supply chain data security strategy are three cost-effective ways to minimise the risk of an insider attack – helping you to build greater cybersecurity defences.
* AAG IT, ^ World Economic Forum, + Techjury, # U.S Department of Justice, *CyberTalk, ^^ ClearedIn, + Tessian, ## Kaspersky,
Mitigating cyber-attack threats, the importance of data destruction services should not be overlooked when it comes to your organisation’s cybersecurity.
tier1 provide traditional data destruction services, environmentally focussed ITAD and secure, IT asset disposal. We help you prevent future data governance challenges and ensure that you remain fully compliant with legislation.
Gartner, IBM, The World Economic Forum, CyberTalk, Upguard, Verizon, Expert Insights, CNBC, U.S Department of Justice, Varonis, Techjury, Kaspersky, AAG IT, Beyond Trust, ClearedIn, Soft Activity, Crowd Strike, Tessian,