The increasing awareness of external cyber-security threats has executives focused on how their organisation can be defended against the “enemy at the gates”. But are organisations just as much at risk from an “enemy within”? In this article Dr Peter Chapman, Director in the Ferrier Hodgson Forensic Technology and eDiscovery team and InfoGovANZ advisory board member, provides an opinion and case study on insider threat.
The media provides us with constant reminders of the threat of cyber-criminals and other external attackers. Recent legislative and regulatory changes such as the European Union GDPR requirements and mandatory breach notification amendments to the Australian Privacy Act have only increased our awareness, specifically with regards to ensuring that personally identifiable information (PII) in the possession of the organisation is safeguarded.
While PII data is undoubtedly a target of external attackers, and external threats must be guarded against, organisations may be overlooking significant insider threats to their intellectual property and commercially sensitive data.
From an external threat perspective, the concept of information security is relatively straightforward in that our confidential information should never be accessed by cyber-criminals and untrusted external parties. Organisations deploy strong perimeter and controls targeted at external parties (e.g. firewalls, intrusion detection systems, anti-virus, penetration testing) to thwart the efforts of external attackers. It is more difficult to establish effective control systems to prevent and detect internal threat activity.
External-focused controls often do little to prevent or identify the actions of a rogue employee intent on removing sensitive information from the control of the organisation.
Without the constant flow of information between employees, business partners and other entities, organisational performance will rapidly decline. It is also the case that much of the information held by an organisation may be confidential or commercially sensitive. As a result, organisations must extend a level of trust to their employees and business partners which is not afforded to external entities. While this trust is generally respected by the majority, there will always be a minority who will abuse and exploit this trust for their own purposes.
Organisations must balance the inherent tension between making information available to boost performance and securing information to mitigate risk.
Internal attacks were only considered the eighth most serious cyber threat by C-suite leaders and IT executives in the 2018-2019 EY Global Information Security Survey (1). The quarterly statistics published by the Office of the Australian Information Commissioner regarding the Notifiable Data Breaches scheme appears to support this view, at least on first glance. Since the start of reporting in February 2018, insider threat related breaches only account for 9% (on average) of maliciously motivated data breaches that have been reported under the scheme, far outweighed by reported breaches caused by an external malicious actor (2).
Unfortunately, the Notifiable Data Breach statistics are not a useful source for assessing the quantity and severity of malicious internal threat incidents. Organisations do not need to report a breach event if they are confident the data does not contain PII and even where PII is present in the data taken (such as client contact lists), organisations suffering an internal breach generally will have more insight into the motivation and intentions of the perpetrator. The majority of malicious internal breach events relate to employees who take data in order to operate in competition with the organisation. It may be reasonable to assume that the chances of serious harm befalling the persons whose PII data has been taken in such a scenario is low. This in turns means that that reporting the breach is no longer mandatory.
The commercial consequences of an internal breach may still be severe even if the incident does not meet the criteria of a mandatory breach notification.
Despite the apparent lack of visibility and profile when it comes to internal threats, it is evident that most IT security incidents originate from the actions of internal actors (three quarters of incidents originated from the actions of employees, former employees or third parties such as suppliers according to the 2018 PwC Global State of Information Security Survey (3) and the Clearswift Insider Threat Index 2017 (4). These figures combine both malicious and accidental breaches, demonstrating that when an insider acts in a malicious manner, or causes a breach through misadventure, it is much harder to prevent the attack or mistake as the insider is already operating with a level of trust within the organisation’s security perimeter. Accordingly, ensuring all staff are educated on data breach risks and the promotion of a strong culture around data security are worthwhile objectives for all organisations.
Malicious insider attacks can lead to the loss of targeted strategic and commercially sensitive data directly into the hands of a competitor. This means that despite their lower visibility, internally originated breach events can be a more serious threat to organisations than externally originated ones (5).
Internal Data Breach Case Study
A recent internal data breach investigation highlights how even a seemingly innocuous and “non-malicious” insider data breach can rapidly escalate into a serious risk issue for an organisation.
The organisation in this case, referred to as Upsilon, is a large multi-national which has made significant investments in information security policies, training and infrastructure. Like many organisations, Upsilon holds confidential information and sensitive data about its own operations as well as confidential information relating to customers and business partners.
The employee responsible for the internal data breach was a highly skilled senior employee, who was trusted with access to highly confidential internal and client information as part of his role. The employee also operated a small side-business in his area of speciality. While this side-business was declared to Upsilon and flagged as a potential conflict of interest at the time, it was agreed that the employee’s side-business did not directly compete with Upsilon and any conflicts would be managed should they arise in the future.
A BYOD policy was in place at Upsilon and the employee was allowed to utilise a BYOD laptop under certain conditions, one of which being a prohibition on accessing or storing confidential client data on the BYOD laptop. Despite this explicit requirement, the employee decided to use his BYOD laptop to access and store confidential information, later stating that he needed to analyse the confidential data with custom applications that he could only install on his BYOD laptop. The employee also utilised a personal cloud storage service to back-up the content of his laptop without the knowledge of Upsilon, including confidential client information.
The breach in data management procedures remained undetected for a significant period of time, as is common in many data leak scenarios. In this particular case, the employee did not appear have any malicious intention with regards to the data. He simply perceived that it was easier for him to undertake his work on his BYOD laptop. However by doing so, the employee allowed confidential information to be stored on an unencrypted and transportable device that could have been lost or stolen. The employees also caused the data to be uploaded to the servers of an unrelated third party (the cloud storage provider), an action which could have led to data sovereignty issues depending upon the data characteristics and the physical location of those servers.
The breach was eventually discovered when a senior manager happened to discuss a particular work procedures issue that pertained to data held on the BYOD laptop. The senior manager was well aware of the sensitivity of the confidential information the employee worked with, and became immediately concerned that the employee used his BYOD laptop in contrary to data management procedures. The senior manager raised the incident with the IT security team at Upsilon, who in turn initiated an incident response.
Incident response procedures at Upsilon were primarily designed on the assumption that accidental internal data breaches did not require substantial investigation and simply required containment and rectification. Upon request of the IT security team, the employee handed over part of the data and deleted a few files on the BYOD laptop, claiming that this was the extent of the confidential data he had in his possession. Despite his claims to the contrary, it was later identified that much of the confidential information was deliberately retained by the employee on both the BYOD laptop and the cloud storage account. By deliberately avoiding full disclosure and handover of confidential data when initially confronted, the employee demonstrated a clear indifference towards organisational policy, the potential seriousness of the breach and the best interests of Upsilon.
Clear and detailed information management policies at Upsilon required that the incident be escalated to a steering committee for urgent review, even though the initial response appeared to have contained the data breach. The committee identified that a more detailed investigation and forensic analysis of the employee’s devices was required to ensure that all confidential information on the BYOD laptop had been identified and removed.
The employee was requested to hand over the BYOD laptop for review. He initially refused on the grounds that the device was not property of Upsilon and also because personal data and data belonging to his company was present on the device. Once access was negotiated and obtained, the subsequent forensic analysis of the BYOD laptop identified that numerous files had been deleted immediately prior to the laptop being handed over for review and also that a backup of the files on the device, including the confidential data, had been copied to an external storage drive immediately prior to the deletions.
The employee admitted to making copies of the confidential data, handing over the external storage drive and access to the cloud storage repositories. The employee also provided assurances that the confidential data had not been further copied. Despite this second round of assurances, forensic analysis of the online repositories identified that the employee had recently acquired a new laptop and it was likely that the confidential data had also been transferred to this new device. When confronted with these new findings, the employee admitted that he lied for a second time and handed over the new computer. The copies of the data were cleared from the new laptop and forensic analysis confirmed that no further devices or cloud storage accounts appeared to have been used to further propagate the data.
Despite the employee’s best efforts at deception and attempting to disguise the extent of his actions, all confidential data was reclaimed and removed from the employee’s control, providing Upsilon with sufficient assurance that the data breach had been contained and rectified.
1. Investing in culture and awareness training around data security
While there were red flags that could have identified that the employee was in breach of policy earlier than it was, the initial detection of the data breach was still a result of Upsilon’s security awareness and policy training.
2. Incident response policies must address the potential for malicious insider threats
The data breach protocols in place at Upsilon were primarily designed to deal with deliberate breaches caused by an external attacker as well as accidental internal breaches originating from employee error or mishap. The initial response to the breach lacked rigor and required a more investigative mindset on the part of first responders.
3. Implement appropriate governance and oversight
The initial risk assessment regarding the employee operating a side business appears to have focused primarily on the commercial conflict and did not identify the potential risks relating to confidential data. A more expansive view of risk should be considered when assessing potential conflicts such as this.
Despite the less than optimal initial incident response, Upsilon did have an appropriate escalation and incident management process which identified that the initial incident response may not have been comprehensive and took appropriate steps to address it.
4. Get the basics right, then implement appropriate controls
Prior to investing in technical and policy control updates, it is imperative that organisations ensure they understand what their critical data is, where it is stored, what it is used for and who needs access to it. Once this is understood, the difficult task of balancing security and accessibility of the data can be undertaken, ideally with a suite of overlapping controls such as: acceptable use policies, data security culture and awareness training, technical controls regarding the use of portable USB storage devices, personal email and Cloud storage, access audit, monitoring and DLP solutions, and an appropriately designed Incident Response policy.
5. BYOD with care
With regards to BYOD policies, organisations should ensure that a proper risk assessment regarding employee roles, data classification, device security, data access and recovery procedures and legal rights over company data is undertaken PRIOR to allowing employees to access and store commercially sensitive data on personally owned devices.
6. Trust, but verify
It is essential for organisations to trust employees to do the right thing most of the time. Over-surveillance and deployment of obstructive controls can be just as damaging as being overly lax. However, organisations should be prepared for a scenario where one or more employees deliberately breaches their trust. With this in mind, it is useful to remember the Russian proverb made famous by Ronald Reagan – “Trust, but verify” – when implementing data security policies and controls and also when responding to internal data breach incidents.
Dr Peter Chapman is a Director in the Ferrier Hodgson Forensic Technology and eDiscovery team, lecturer in the Accounting Discipline Group of the UTS Business School and advisory board member of Information Governance ANZ.