What is an Insider Threat: How They Relate to Ransomware
For many businesses, and in some cases government institutions, the popular question arises: what is an insider threat? This may not be the first question that comes to mind when you think about cyber security. This year the question that may come to mind is “how can I protect myself from ransomware?” There are a number of technical measures you can take to protect against ransomware, the most recommended are backups and keeping your systems updated. However, you may have noticed that companies and organizations with security budgets larger than yours still got hacked. How could this have happened, you may wonder. It was due to a employee in most cases who, willfully or unintentionally, allowed a hacker to access systems. Any employee, vendor, manager, strategic partner, or anyone really who has access to sensitive information in your organization may be considered an insider. The potential for an insider to make sensitive information public is called an insider threat, which can have significant harmful implications for your organizations. Insiders are not an abstraction they are the very people you work with. They come in many forms however understanding the profile of an insider can help you know what behaviours and motivations to seek out.
Profile of an Insider
Insiders are always present, some are just negligent employees while others are people with malicious intent. Insider security incidents can be quite simple and fast in reality. Often for negligent employees a security incident may be something as simple as opening an attachment from an unknown party. This was the case with Chipotle earlier this year. For a malicious insider a security incident will likely look similar to either sabotage or long term expropriation of data. While malicious insiders are the ones you will hear about most often, it is negligent insiders who cause the most data breaches.
This type of insider is the most common type of insider threat. They are your everyday employee or executive. They have no malicious intent, but often spill information by way or negligent data handling or in some cases talking too much online or outside of work about sensitive topics. In many cases it can be related naive behaviour, such as opening unfamiliar email attachments. Many employees are vulnerable to phishing and in some cases being used by malicious insiders to perform and unknowing foot soldiers.
The Department of Homeland Security, the FBI, and the CIA are all familiar with the notorious malicious insider. However beyond federal agencies, the malicious insider is all too common in the private sector too. For some malicious insiders they are involved with a third party and pass information to them. Often they are managers, administrators, or executives who have almost unlimited access to all company data. Their reasons are often financially motivated, rarely is it a case of divided loyalty. Malicious insiders are often involved with the exchange of trade or state secrets. Another scenario that often happens now is where malicious insiders will steal information and try to sell it on the Darknet. This year has proven though that now if an insider wants to sabotage the company or government organization they work for, they could do so with ease by way of ransomware.
How Insiders Expose Organizations to Ransomware
One does not have to even follow cyber security news that closely to know that major companies and in some cases governments are being attacked left and right by ransomware. Ransomware is a recent development in the last few years where malware will lock you out of your device by encrypting all of your files until you pay an expansive ransom. Even upon paying the ransom there is no guarantee your device will actually be unlocked. Some ransomware variants have taken an even dangerous turn and encrypted whole hard drives or used encryption to lock files then destroy them. The technology surrounding ransomware has been growing exponentially in development. Among the large players were Fedex, the NHS, and LG, just to name a few. Some smaller companies had the unfortunate incident of having their data deleted by sabotage based ransomware such as NotPetya.
So how exactly do insiders contribute to such destructive events. Well so far most have been unintentional. After forensics in many ransomware cases, insiders simply downloaded an attachment or had their credentials phished from them. In many cases it was a negligent insider who did this by way of an error in judgement or just not knowing security protocol or process.
Education and Preventative Technology
While it may sound simple security education is absolutely critical to preventing ransomware attack and can be challenging to implement. This is because security education is more than a few PowerPoint slides, it is continuous training that may happen while people are on the job. The other aspect here that will help preventing ransomware attacks by way of insider threats are technologies such as user behavior analytics and smart responsive actions. If a user’s account seems to be behaving outside their normal function you will be able to catch on without that user’s knowledge, in case the user is a malicious insider or is someone else who has control of the user’s account.If you do find suspicious behavior you can set rules and responses that would have the ability to shutdown the user’s device upon them violating a rule. This is a step beyond simple alerts.
Insider threats are the most significant issue for companies right now because an insider’s actions can be a gateway for ransomware to infiltrate systems. Not to mention this could all happen under your supervision if you have no security system in place to prevent insider security incidents. With the convergence of ransomware, data peddling, and negligent insiders there is a perfect storm in place for a data breach in your organization. Right now would be the perfect time take preventative action to ensure you stay safe from ransomware and future insider threats.