Employees as an internal cyber threat
05 November 2019
Many companies are focused on the external threat to their businesses, and seem to forget that internal threats are just as important. Within this article, P.Ingram talks of how the unpredictability of human behaviour can be classified as an insider threat.
Computer systems have evolved rapidly since I first started my career as an intelligence officer. I was fortunate enough to have access to a computer in order to write my reports and record my workings, however the systems were disconnected from one another with different classifications and access permissions, which made communication between various systems very challenging.
In comparison, most modern business environments now contain interconnected systems that are efficient and well-protected. Advances in the field of cyber-security have facilitated the development of effective, and proactive, cyber defences. Previously, the common approach to cyber-security was reactive, with organisations responding to cyber-attacks once the damage had been done. However, attitudes in recent times have shifted to a more proactive standpoint. Cyber security professionals can now easily monitor all network activity, with software that can not only effectively identify, but also deal with any detected anomalies. Whilst many anomalies in networks can be identified, there are always a minority that can evade detection. Systems can be as safe as possible, but they can never be totally secure.
Human error as a vulnerability
One anomaly in a system that cannot be detected, is the unpredictability of human behaviour – an insider threat. The Centre for the Protection of National Infrastructure describes the Cyber Insider as, “An insider is someone who (knowingly or unknowingly) misuses legitimate access to commit a malicious act or damage their employer. These days, most insider acts involve IT exploitation termed “Cyber Insider”.
I would expand the definition to include exploitation of all data and not just IT exploitation, in order to properly frame the insider threat. That exploitation could come in the forms of copying / stealing data, altering data, deleting data (sabotage), manipulating perception (misinformation), sabotaging infrastructure and more. The damage caused by an insider can be deliberate, or accidental through a lack of awareness, training or negligence.
The Cyber Fish company, who specialise in examining the human risk from a psychological perspective, state on their website, “Human errors present critical vulnerabilities in enterprise defences, often exposing systems without being attacked… Certain attitudes and behaviours can expose us to direct or indirect digital risk, often without us being aware of even facing any risk at all”. Berta Pappenheim da Silva, the founder and CEO of the Cyber Fish Company, will be at the International Security Expo at Olympia in London on 3rd and 4th December 2019 as part of a panel discussing diversity in the Cyber Conference.
Serotonin is a chemical that resides in the brain which regulates happiness and mood. Serotonin can present an insider threat as it can impact an employee’s attitudes and behaviour in the workplace. If an employee’s morale is low, for example as a result of mistreatment, this could result in the individual turning to actions that damage the company, such as intentionally sabotaging various internal processes.
This highlights the importance of keeping employees happy in the workplace. Unhappy employees have the potential to cause significant damage to a company internally. As mentioned previously, employees have the power to steal, damage/corrupt and sell data, hence adequate training and keeping employees happy is essential.
So cyber security specialists, infosec experts, how well do you know your people? Are they assessed as part of your network security? And if not why not? Cyber threats to your company are not solely external attacks - attacks can also come from within your organisation. Internal threats, like theft of data by an employee, are overlooked by systems that only target external threats, such as hackers.