“IT managers and the C-suite may not realise that the likelihood of their server being compromised at some point is akin to death and taxes,” says Randy Battat, CEO of encryption software company PreVeil.
We’re inclined to agree. The IT sector is growing, and it’s only going to get bigger. But cybercrime is growing just as fast—if not faster. But what many companies don’t realise is that internal hacking can pose almost as much of a threat as external attacks.
Businesses are in a bad habit of ignoring internal threats and only investing in guarding themselves from the external ones—and you can’t really blame them. The World Economic Forum estimates that cybercrimes cost the global economy S$593 billion in 2016 alone. No wonder HackerOne, a vulnerability coordination and bug bounty platform, earned S$20 million since 2012 by hacking into corporate customers and discovering their vulnerabilities.
Yet, while white-hat hackers aim to tackle external threats, some of the biggest hacks have come at the hands of those on the inside. Whether malicious or unwitting, the enemy could be sitting in a cubicle down the hall. It’s estimated that a full 43 percent of data breaches are caused by internal hacking or other insider threats—and as the IT landscape grows, so too, do the chances of being compromised from the inside.
1. Watch those emails
Wading through email usually tops the list of most hated tasks in a workplace when getting to “inbox zero” is considered a gold standard. And that’s likely why it became such an easy target for some of the biggest internal hacks.
In 2017, a hacker posing as the CEO of solar company Sunrun wormed their way into the payroll department through an email requesting employees’ W-2 forms. The timing—late January, when US companies typically issue their tax forms—made it easy for a worker to look past the phishing scam and send the forms to the hacker. Unfortunately, that exposed the personal information and salary of “a substantial portion” of the company’s 4,000 current and former employees.
A similar scam unfolded at media company Mansueto Ventures, when some employees unwittingly clicked on an email attachment that let hackers steal their coworkers’ wage information and other personal details. In this case, the stolen information of about 90 percent of the staff was quickly used to file fraudulent tax returns, in hopes of skimming any refunds.
It’s easy to see how this type of attack could unfold. When an employee receives an email from an executive that demands a quick response, they’re not always checking to make sure the address of the sender is valid. To avoid this type of attack, email security and phishing awareness training are an absolute must.
2. Double-check who has security clearance
Sometimes, even the employees you trust most can betray the company. Jonathan Ly, a former IT employee of publicly traded Expedia, stole passwords and hacked into the CFO’s and head of investor relations’ devices between 2013 and 2016. From there, he was able to remotely access confidential emails and documents that led him to make a string of stock trades for a profit of S$441,360.
More recently, a Wall Street IT engineer was arrested when authorities found out he installed malware on the company’s servers. He told the FBI he only wanted to see if a potential acquisition might leave him out of a job—however, he also had the encryption keys necessary to use his employer’s trading platform and algorithms.
As Marc van Zadelhoff advises in Harvard Business Review, IT managers should prioritise security risks that employees represent. “In particular, monitor IT admins, top executives, key vendors, and at-risk employees with greater vigilance,” he says.
3. Beware of bugs
Sometimes, it’s not a human on the inside, but a bug in the trusted software that leads to an “internal hack.” Take the case of Cloudflare. Back in February 2017, the internet infrastructure company that serves more than 5.5 million customer websites, including OKCupid and Fitbit, said it discovered a bug in its platform that was randomly letting customer data out. Although a patch was put in place immediately, the personal information could have been seeping out for months.
While some of that data would be hard to monetise, a bug or a damaging attack affecting a company like Cloudflare can impact and potentially endanger a significant portion of the web, so make sure you keep an eye on the programs you’re using.
4. Secure the servers
Wired also reported that conservative data firm Deep Root Analytics misconfigured a voter database hosted on an Amazon S3 server, exposing more than a terabyte of US voter information for anyone on the web to see. This massive breach made it into Wired’s list of the year’s biggest cybersecurity disasters in a report that states, “Misconfiguration isn’t a malicious hack in itself, but it is a critical and all-too-common cybersecurity risk for both institutions and individuals.”
What do all these internal hacking incidents teach us? For one, cyberthreats can come from the most unexpected places—like the print environment. You should start looking for cyberthreats everywhere, not just from where you expect them. Even companies that have standard cybersecurity practices in place can be breached in unexpected ways.
“Passwords are obsolete and even dangerous,” maintains Randy Battat of PreVeil. “And, for that matter, so are current encryption methods that make it possible to access emails as they travel or reside on the server,” he says. An entire enterprise can be brought down by something like that, especially if it lacks the proper defense. If you want to protect your company, start following these tips today and be as proactive as possible. Soon, you’ll be squashing cyber attacks left and right—they won’t stand a chance.