The increasing awareness of external cyber-security threats has executives focused on how their organisation can be defended against the “enemy at the gates”. But are organisations just as much at risk from an “enemy within”? In this article Dr Peter Chapman, Director in the Ferrier Hodgson Forensic Technology and eDiscovery team and InfoGovANZ advisory board member, provides an opinion and case study on insider threat.

The media provides us with constant reminders of the threat of cyber-criminals and other external attackers. Recent legislative and regulatory changes such as the European Union GDPR requirements and mandatory breach notification amendments to the Australian Privacy Act have only increased our awareness, specifically with regards to ensuring that personally identifiable information (PII) in the possession of the organisation is safeguarded.

While PII data is undoubtedly a target of external attackers, and external threats must be guarded against, organisations may be overlooking significant insider threats to their intellectual property and commercially sensitive data.

From an external threat perspective, the concept of information security is relatively straightforward in that our confidential information should never be accessed by cyber-criminals and untrusted external parties. Organisations deploy strong perimeter and controls targeted at external parties (e.g. firewalls, intrusion detection systems, anti-virus, penetration testing) to thwart the efforts of external attackers. It is more difficult to establish effective control systems to prevent and detect internal threat activity.

External-focused controls often do little to prevent or identify the actions of a rogue employee intent on removing sensitive information from the control of the organisation.

Without the constant flow of information between employees, business partners and other entities, organisational performance will rapidly decline. It is also the case that much of the information held by an organisation may be confidential or commercially sensitive. As a result, organisations must extend a level of trust to their employees and business partners which is not afforded to external entities. While this trust is generally respected by the majority, there will always be a minority who will abuse and exploit this trust for their own purposes.

Organisations must balance the inherent tension between making information available to boost performance and securing information to mitigate risk.

Internal attacks were only considered the eighth most serious cyber threat by C-suite leaders and IT executives in the 2018-2019 EY Global Information Security Survey (1). The quarterly statistics published by the Office of the Australian Information Commissioner regarding the Notifiable Data Breaches scheme appears to support this view, at least on first glance. Since the start of reporting in February 2018, insider threat related breaches only account for 9% (on average) of maliciously motivated data breaches that have been reported under the scheme, far outweighed by reported breaches caused by an external malicious actor (2).

Unfortunately, the Notifiable Data Breach statistics are not a useful source for assessing the quantity and severity of malicious internal threat incidents. Organisations do not need to report a breach event if they are confident the data does not contain PII and even where PII is present in the data taken (such as client contact lists), organisations suffering an internal breach generally will have more insight into the motivation and intentions of the perpetrator. The majority of malicious internal breach events relate to employees who take data in order to operate in competition with the organisation. It may be reasonable to assume that the chances of serious harm befalling the persons whose PII data has been taken in such a scenario is low. This in turns means that that reporting the breach is no longer mandatory.

The commercial consequences of an internal breach may still be severe even if the incident does not meet the criteria of a mandatory breach notification.

Despite the apparent lack of visibility and profile when it comes to internal threats, it is evident that most IT security incidents originate from the actions of internal actors (three quarters of incidents originated from the actions of employees, former employees or third parties such as suppliers according to the 2018 PwC Global State of Information Security Survey (3) and the Clearswift Insider Threat Index 2017 (4). These figures combine both malicious and accidental breaches, demonstrating that when an insider acts in a malicious manner, or causes a breach through misadventure, it is much harder to prevent the attack or mistake as the insider is already operating with a level of trust within the organisation’s security perimeter. Accordingly, ensuring all staff are educated on data breach risks and the promotion of a strong culture around data security are worthwhile objectives for all organisations.

Malicious insider attacks can lead to the loss of targeted strategic and commercially sensitive data directly into the hands of a competitor. This means that despite their lower visibility, internally originated breach events can be a more serious threat to organisations than externally originated ones (5).

Internal Data Breach Case Study

A recent internal data breach investigation highlights how even a seemingly innocuous and “non-malicious” insider data breach can rapidly escalate into a serious risk issue for an organisation.

The organisation in this case, referred to as Upsilon, is a large multi-national which has made significant investments in information security policies, training and infrastructure. Like many organisations, Upsilon holds confidential information and sensitive data about its own operations as well as confidential information relating to customers and business partners.

The employee responsible for the internal data breach was a highly skilled senior employee, who was trusted with access to highly confidential internal and client information as part of his role. The employee also operated a small side-business in his area of speciality. While this side-business was declared to Upsilon and flagged as a potential conflict of interest at the time, it was agreed that the employee’s side-business did not directly compete with Upsilon and any conflicts would be managed should they arise in the future.

A BYOD policy was in place at Upsilon and the employee was allowed to utilise a BYOD laptop under certain conditions, one of which being a prohibition on accessing or storing confidential client data on the BYOD laptop. Despite this explicit requirement, the employee decided to use his BYOD laptop to access and store confidential information, later stating that he needed to analyse the confidential data with custom applications that he could only install on his BYOD laptop. The employee also utilised a personal cloud storage service to back-up the content of his laptop without the knowledge of Upsilon, including confidential client information.

The breach in data management procedures remained undetected for a significant period of time, as is common in many data leak scenarios. In this particular case, the employee did not appear have any malicious intention with regards to the data. He simply perceived that it was easier for him to undertake his work on his BYOD laptop. However by doing so, the employee allowed confidential information to be stored on an unencrypted and transportable device that could have been lost or stolen. The employees also caused the data to be uploaded to the servers of an unrelated third party (the cloud storage provider), an action which could have led to data sovereignty issues depending upon the data characteristics and the physical location of those servers.

The breach was eventually discovered when a senior manager happened to discuss a particular work procedures issue that pertained to data held on the BYOD laptop. The senior manager was well aware of the sensitivity of the confidential information the employee worked with, and became immediately concerned that the employee used his BYOD laptop in contrary to data management procedures. The senior manager raised the incident with the IT security team at Upsilon, who in turn initiated an incident response.

Incident response procedures at Upsilon were primarily designed on the assumption that accidental internal data breaches did not require substantial investigation and simply required containment and rectification. Upon request of the IT security team, the employee handed over part of the data and deleted a few files on the BYOD laptop, claiming that this was the extent of the confidential data he had in his possession. Despite his claims to the contrary, it was later identified that much of the confidential information was deliberately retained by the employee on both the BYOD laptop and the cloud storage account. By deliberately avoiding full disclosure and handover of confidential data when initially confronted, the employee demonstrated a clear indifference towards organisational policy, the potential seriousness of the breach and the best interests of Upsilon.

Clear and detailed information management policies at Upsilon required that the incident be escalated to a steering committee for urgent review, even though the initial response appeared to have contained the data breach. The committee identified that a more detailed investigation and forensic analysis of the employee’s devices was required to ensure that all confidential information on the BYOD laptop had been identified and removed.

The employee was requested to hand over the BYOD laptop for review. He initially refused on the grounds that the device was not property of Upsilon and also because personal data and data belonging to his company was present on the device. Once access was negotiated and obtained, the subsequent forensic analysis of the BYOD laptop identified that numerous files had been deleted immediately prior to the laptop being handed over for review and also that a backup of the files on the device, including the confidential data, had been copied to an external storage drive immediately prior to the deletions.

The employee admitted to making copies of the confidential data, handing over the external storage drive and access to the cloud storage repositories. The employee also provided assurances that the confidential data had not been further copied. Despite this second round of assurances, forensic analysis of the online repositories identified that the employee had recently acquired a new laptop and it was likely that the confidential data had also been transferred to this new device. When confronted with these new findings, the employee admitted that he lied for a second time and handed over the new computer. The copies of the data were cleared from the new laptop and forensic analysis confirmed that no further devices or cloud storage accounts appeared to have been used to further propagate the data.

Despite the employee’s best efforts at deception and attempting to disguise the extent of his actions, all confidential data was reclaimed and removed from the employee’s control, providing Upsilon with sufficient assurance that the data breach had been contained and rectified.

Lessons learned

1.     Investing in culture and awareness training around data security

While there were red flags that could have identified that the employee was in breach of policy earlier than it was, the initial detection of the data breach was still a result of Upsilon’s security awareness and policy training.

2.     Incident response policies must address the potential for malicious insider threats

The data breach protocols in place at Upsilon were primarily designed to deal with deliberate breaches caused by an external attacker as well as accidental internal breaches originating from employee error or mishap. The initial response to the breach lacked rigor and required a more investigative mindset on the part of first responders.

3.     Implement appropriate governance and oversight

The initial risk assessment regarding the employee operating a side business appears to have focused primarily on the commercial conflict and did not identify the potential risks relating to confidential data. A more expansive view of risk should be considered when assessing potential conflicts such as this.

Despite the less than optimal initial incident response, Upsilon did have an appropriate escalation and incident management process which identified that the initial incident response may not have been comprehensive and took appropriate steps to address it.

4.     Get the basics right, then implement appropriate controls

Prior to investing in technical and policy control updates, it is imperative that organisations ensure they understand what their critical data is, where it is stored, what it is used for and who needs access to it. Once this is understood, the difficult task of balancing security and accessibility of the data can be undertaken, ideally with a suite of overlapping controls such as: acceptable use policies, data security culture and awareness training, technical controls regarding the use of portable USB storage devices, personal email and Cloud storage, access audit, monitoring and DLP solutions, and an appropriately designed Incident Response policy.

5.     BYOD with care

With regards to BYOD policies, organisations should ensure that a proper risk assessment regarding employee roles, data classification, device security, data access and recovery procedures and legal rights over company data is undertaken PRIOR to allowing employees to access and store commercially sensitive data on personally owned devices.

6.     Trust, but verify

It is essential for organisations to trust employees to do the right thing most of the time. Over-surveillance and deployment of obstructive controls can be just as damaging as being overly lax. However, organisations should be prepared for a scenario where one or more employees deliberately breaches their trust. With this in mind, it is useful to remember the Russian proverb made famous by Ronald Reagan – “Trust, but verify” – when implementing data security policies and controls and also when responding to internal data breach incidents.

References

1.       https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf

2.       https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/

3.       https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html

4.       https://www.clearswift.com/about-us/pr/press-releases/insider-threat-74-security-incidents-come-extended-enterprise-not-hacking-groups

5.       https://digitalguardian.com/blog/insider-outsider-data-security-threats

Dr Peter Chapman is a Director in the Ferrier Hodgson Forensic Technology and eDiscovery team, lecturer in the Accounting Discipline Group of the UTS Business School and advisory board member of Information Governance ANZ.

 

Information (data) security, cybersecurity and IT security all usually refer to the protection of computer systems and information assets by suitable controls, such as policies, processes, procedures, organizational structures and software and hardware functions. The type and extent of controls depends on the scope and maturity of the business function (usually the Security Department) applying the controls, or, depends on the specialisation/focus of the team, such as Perimeter/Firewall or Identity Management. Each function tends to have a different perspective of information security, compared to other functions, due to their focused specialisation.

A close parallel is the health profession. You see a GP doctor when unwell, and are referred to a specialist who knows much more than your GP about a particular field of expertise. I know that my GP would not want to perform open heart surgery at all. And equally, a heart specialist would not have up-to-date and practical knowledge of all areas of the body. Tinea treatment? – see somebody else please.

In other words, people specialise in a particular aspect of their work. You can’t be an expert in everything. People prioritise – for example, in busy times, a SysOp will not be as vigilant with security when their primary role is to keep the sales /finance system up and running for all users.

This is exactly how Information Security Systems operate. For example, an Information Security Management System (ISMS) such as ISO27001 or the NIST Cybersecurity Framework offers great best-practice information security methods. While an ISMS operated by the Security function will have a security-centric focus, and provide protection from their perspective, it may not integrate completely with Privacy, Legal, Risk and other functions. As a result of these different specialisations, gaps in coverage can arise. And unfortunately for organisations, is often the risks that they are unaware of that hurt the most.

This is where the benefits of Information Governance are most apparent – as IG provides a framework for these business functions that have a valid interest in information protection. These functions, such as Security, Privacy, Legal, Risk, Audit, Records Management and individual operational Business areas, often operate as silos to good effect vertically but with poor integration horizontally. Information Governance is where the horizontal connections are structured, made, and reinforced, using suitable controls such as the familiar sounding ‘policies, processes, procedures, organizational structures and software and hardware functions’. The Sedona Conference has defined Information Governance as ‘an organisation’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value’.

Overall, comprehensive and effective security comes about from covering all of the risks that exist against the assets you want to protect. Despite the three character length, ‘All’ is a big word.

In the end, it’s down to appropriately protecting your assets. To protect, you need to know what assets you are protecting, you need to know what threats exist, and you need to know that your protection methods cover all angles. Information Governance provides for orchestrating all of the protection functions together.

---

By Richard Kilpatrick

Richard is a highly experienced consultant in information technology, focusing on realistic data governance, security and privacy.  Richard has led programs of work to discover and classify data across multiple business units, within banks, telcos, health and media. In this article, he outlines the difference between Information Security and Information Governance, explaining why IG frameworks are essential for the successful orchestration of specialised security systems.

Connect with Richard on LinkedIn.

 

 

As the number and size of cyber attacks on businesses continues to increase, the risk of experiencing a data breach is higher than ever. The resulting cost of these breaches can be significant – according to the Ponemon Institute’s 2017 Cost of Data Breach Study, these totalled $2.51 million per year across the organisations that were recruited for the research.

As a result, an increasing number of organisations are choosing to invest in a cyber insurance policy, which allows them to claim cyber incident response expenses, regulatory fines, legal defence costs and business interruption losses. In other words, offset the cost of a potential data breach.

This article outlines the benefits of cyber insurance and explains why, in today’s digital age, it is vital for organisations to invest in this class of insurance, in addition to understanding the information governance obligations that their insurance policy places on them.

What is a cyber incident?

A cyber incident refers any event that threatens the security, confidentiality, integrity, or availability of information assets (electronic or paper), information systems, and/or the networks that deliver the information.  Any violation of computer security policies, acceptable use policies, or standard computer security practices is classified as a cyber incident. (Source : CABQ)

Information governance, along with risk management, may not prevent a cyber attack from occurring, but it can certainly reduce its impact on the affected company. A cyber threat or breach leaves the company exposed to a loss of integrity and compromised access to information. This also results in the inability to provide the right information to stakeholders and the failure to respond to regulatory obligations. Mature cyber risk governance and risk management plans can prevent the disruption of information governance.

Transfer of risk

When dealing with questions of risk transfer, executives may choose to self-insure. According to the Ponemon Institute’s 2017 Cost of Data Breach Study,, the average per cost per capita (per compromised record) of a data breach was $139 per organisation surveyed, with the average cost of data breach totalling $2.51 million. Thus a business experiencing at least two data breaches a year could be expected to set aside $5 million of company funds for data breach response. In such a scenario, investors are likely to find shareholder returns diminish over time compounded with reputational loss.

Investing in cyber insurance not only frees up investors’ resources, it is also more cost effective in the long term. In transferring risk to the insurer, businesses must give proof of their information governance practices. If there are no practices in place, the insurance can facilitate businesses to devise a plan to prevent cyber threat and the risk of legal issues, financial losses and company failures – before accepting the residual risk.

Business Continuity

As all businesses revolve and evolve based on their data, information is critical for ensuring business continuity. Since cyber threats and cyber theft do happen, it is important that businesses possess the capabilty to respond well- this includes having a plan in place to respond to the incident swiftly, professionally and with minimal impact.

A business needs to recognise its capability to access the right information to mitigate the effect of a cyber attack.  Key questions that any manager, executive or business owner must ask themselves are:

–        Does the information governance system, including cybersecurity policies and procedures, mandate backup of information assets, systems and data that can retried if a cyber incident leads to operational downtime?

–        Is there proof the business has a written down business continuity plan and are all employees that will need to act on it trained and knowledgeable as to what to do if the risk occurs?

–        It is essential that all employees and effected parties have access to information on how to respond to an incident to minimise any damage? And is this process exactly what cyber insurers want to see in place, in order to mitigate their own exposure?

Trust

Trust and relationships are the biggest factor in ensuring long term sustainability of a business. A savvy cyber insurance company will not accept the transfer of risk if a business cannot demonstrate adequate measures for maintaining trust of all stakeholders and most importantly, customers. Businesses are expected to prove their integrity through questions such as:

–        In storing customer data, does the business ensure information governance in collection, storage, use and archiving of data. Is the information encrypted or deidentified? Should customer information fall into the wrong hands, can the customer trust that the business can keep their identity safe?

How frequent and proactive is the security management practice of the business? Has the business got access to notification templates for notifying its customers of a data breach?

Cyber incidents affect company reputation and investor relations, which is why it is important that companies build their risk management strategies transparently and with clarity.

People, Policies & Procedures

A cyber insurance company will delve in to the business processes and policies before agreeing to a commitment. They will analyse a number of things, including:

–        Are roles and responsibilities understood?

–        Does information governance dictate checks for monitoring access rights to the information and misuse of access rights?

–        Are their approval controls for transfer of funds?

–        Does the business have an adequate privacy policy that communicates to stakeholders how the business collects and manages information?

–       Does the business have a regular patch management policy?

–        Does the business have a policy of ensuring ownership of risk and liability is described in all third part contracts?

Compliance, Disclosure & Transparency

Compliance is vital to a cyber insurance company – particularly for the legal team. The insurer will look at the below aspects of the potential business:

–        What information governance, risk management, security standards does the business conform to?

–        Is the business PCI compliant?

–        Does the business comply with the Privacy Act?

–        Has the business had a data privacy incident in the past?

–        When completing the application form, has a Director of the company signed the insurance application form?

Transferring risk to a third-party insurer must be supported by evidence of information governance. Any negligence on information governance practices reflects the inability of a part of the business to take the right actions to prevent and mitigate a cyber incident.

Buying a Policy

Risk Register

While the myths on policy coverage are rampant, insurance policies are not to be blamed. Not only are the the complexities of cyber risk not well understood,  executives are unable to dedicate enough resources to demonstrate adequate information governance measures.

Policy wordings are designed to respond to specific cyber risk scenarios. Businesses seeking to buy a cyber policy must ensure that they articulate cyber scenarios in their risk register and seek insurance for them. Cyber risk scenarios and their potential impact must be eliminated and mitigated and only residual risk must be transferred.

Risk scenarios must be matched with plain policy wording and extent of coverage, for those scenarios must be obvious. Managers who do not carry out this exercise are lacking in the process to invest in insurance.

It is vital that cyber insurance policies suit both the insured and the business needs. This is easy to do with the help of a cyber insurance broker, as they will be able to recommend the most adequate cyber insurance policy and help negotiate the most suitable policies to match the business needs.

Risk Register:  Transfer Risk

 

 

Role of Insurance Broker

Cyber risks are evolving. With technology becoming more advanced each day, it is difficult for companies to keep up. With emergent risks, traditional brokers have found it hard to move up the learning curve. Specialist cyber insurance brokers are able to discuss and analyse the business needs, requirements and obligations. They also understand complexities of cyber risk.  A broker can help a business to understand coverage, limits, exclusions and deductibles. At the time of buying cyber insurance, a cyber insurance broker will advise a business on how to obtain a health check on all insurance policies so that gaps in total coverage are not taken for granted.  A broker will also alert clients on their ongoing obligations for all cyber risk scenarios for which policy wordings are sought and matched.

Businesses wishing to assess their cyber risk can source a quote from a broker and know the cost of their cyber risk. Seeking a quote is free of charge and obligation.

Seeking a Cyber Insurance Quote

Usually your broker can procure an indication quote based on the questions below. However, a final quote can only be based on information provided in the full application form.

1.     What was your revenue in last 12 months? Yes/No

2.     What policy limit do you require? Yes/No

3.     What industry is your business in? Yes/No

4.     How many records does your business hold? Yes/No

5.     Do you have a business continuity plan? Yes/No

6.     Do you encrypt data held by your company on mobile and other devices? Yes/No

7.     Do you have firewalls, malware detection systems in place? Yes/No

8.     Do you store data on a third party cloud? Who is the cloud service provider? Yes/No

9.     Do your contracts indemnify any third party for a data breach? Yes/No

10.   Has your business had a data breach in the last two years? Yes/No

11.   Do you regularly implement a written patch management process? Yes/No

12.   Do you have a privacy policy? Yes/No

13.   Which state is your business located?

Cyber insurance policies come equipped with a panel of experts who are able to identify risks and reduce the impact of an incident response. They also have a skilled PR team, legal experts to minimise any associated threats or breach costs, and forensic experts that are able to decipher exactly what happened, why it happened and how to best avoid future incidents from occurring.

 

---

by Meena Wahi – Cyber, Data, IP Insurance Specialist.

Meena Wahi is a cyber insurance and data breach broker, specialising in cyber risk, data privacy, intellectual property risk and cyber crime.   She helps organisations identify potential cyber risks and believes that cyber insurance should be a key component of a company’s enterprise risk management strategy.

Connect with Meena on LinkedIn.