Most media portray hackers as solitary and screenlit, attacking their targets from a distance. They thrive on anonymity and wield vague yet godlike power.
In 2015, the Emmy-winning first season of Mr. Robot shattered these conventions. Revolving around a hacking collective’s plan to breach the world’s largest corporation, Mr. Robot supplants the man-versus-machine myth with a more accurate—and unsettling—dynamic. To breach E Corp, characters must deliver viruses via CD-ROM, convert employees to their cause, and collaborate with counterparts across national borders. They must hack people as well as software.
In a 2016 report, IBM found that 60% of all recorded attacks occurred due to insiders.1 “The major sources of cyber threats aren’t technological,” Dante Disparte and Chris Furlow write in the Harvard Business Review. “They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris.”
Before you can address internal threats, you must identify them. Where do they come from?
We’ve listed seven internal vectors that could breach your organization. Note that ‘internal’ refers to the how of the breach, not necessarily the who. External attackers can impersonate or coerce even your most trusted employees.
Humans have an astounding capacity for error. Per NetDiligence, 10% of the breaches reported to insurance companies occur due to a staff mistake. The nature of that mistake varies. A traveling salesperson leaves his unlocked iPhone in a coffee shop. An accountant accidentally publishes a confidential database. You open an email. Seemingly innocent, one wrong click can cost your organization millions. Two percent of all cyberattacks—accounting for 80 million leaked records—attempt “to fool victims into opening malicious documents or clicking on links to malicious sites.” 2 Whether or not bad actors profit from your data, any leak will cost you the trust of customers, partners, and employees alike.
Many attacks will home in on specific staff members. ‘Whaling’ schemes have executives rightly worried. But according to Steve Durbin of the Information Security Forum, potential targets are “no longer restricted to the boardroom…Personal assistants, systems admin staff, pretty much anyone who has the ability to provide access to the determined cybercriminal on the hunt for valuable information are now in play.”
Eight percent of all breaches involve a rogue employee. The term ‘rogue’ has multiple meanings: it could be an individual terminated from employment but not from system access, or a disgruntled staffer criminals have converted to their agenda. Of the 60% of attacks that involve insiders, IBM (2016) uncovers 44.5% qualifying as ‘malicious.’ HBR’s Marc von Zadelhoff frames these as “trusted but witting insiders,” some of whom “just have a vendetta against the organization.”
An OneLogin survey of IT decision-makers found that 48% know of a former employee who still has access to corporate applications. More concerning, 20% said that ex-employee access had resulted in a data breach.
Although technically ‘malicious,’ one motive for rogue action deserves separate consideration: the pursuit of personal gain. Verizon’s 2017 Data Breach Investigations Report relays that of malicious insiders, fully 60% misuse data because they expect to profit from it “somewhere down the line.” 3 This category of malice often escapes detection until long after an employee’s departure from your company.
Don’t underestimate the power of one bad apple. Research conducted by Drs. Stephen Dimmock and William Gerken indicates that “even your most honest employees become more likely to commit misconduct if they work alongside a dishonest individual.”
Ransomware targets individuals and corporations alike, encrypting user data and demanding payment for its return. Compiling insurance data from 2014 to 2017, NetDiligence observes that ransomware costs the average company $65,000.
In its most common form, ransomware angles for profit. But extortionist schemes could have much more serious goals. Perpetrators could require a targeted employee, perhaps one concealing illicit behavior, to abet a future breach or obtain privileged information. They could turn a trusted employee into a witting but unwilling traitor.
The internet separates physical from digital identity. Herein lies the peculiar power of cybercrime: access is based on virtual credentials rather than physical presence. Cybercriminals can strike under a pseudonym, but they can also assume stolen identities—including those of privileged employees. Zadelhoff describes this vector as “a wolf in the clothing of John from accounting” and warns of hackers’ ability to “increase a hacked user’s access within a system.” Verizon’s report classifies stolen credentials as an external threat vector, ranking in the top three most-detected vulnerabilities across industries.4
The difference between internal and external threats often fails to account for third parties, who may have high network access. Disparte and Furlow lament that few organizations think to interrogate their partners, whether “contractors, consultants, and vendors in their supply chains.” They point out that hackers used third parties to breach both Target and Home Depot, breaches that cost millions of customers their identities and the organizations many billions in revenue.
‘Planted’ agents are one of the most sensitive yet least quantifiable elements on this list. An individual applies for employment at your company, whether as a janitor or a database technician. Unbeknownst to you, they come under false pretenses, actually intending to ferry data from your organization to an unknown party, to a competitor or a nation-state. They impersonate no one and may harbor no malice toward their employer. But they do pose a significant threat, if only because the level of dedication usually indicates the value of the planned haul.
So how can your organization mitigate these threats?
HBR’s Zadelhoff advocates applying “deep analytics and AI” to staff behavior. Know who has access to what and monitor them accordingly. Keep in mind that this may require clearly communicated policies, especially in light of legal protections the U.S. extends to employees. You may also find it valuable to condense your cloud usage. A single source of truth like a unified ERP system can eliminate duplicate apps and provide answers about who did what when.
Yet in some cases, you may be able to do more than merely mitigate. As Jim Collins writes in his seminal work Good to Great, “People are not your most important asset. The right people are.” 5 Collins’ research identified smart hiring as one of five key differences between mediocre firms and true successes. Rigorously scrutinize every candidate and every partner before making any hiring or contracting decisions. Train employees to notice discrepancies and practice secure travel habits. Adopt two-factor authentication. Set internal controls.
Of course, you can never rid your organization of internal risks. But by trusting and verifying, you can preempt the most devastating betrayals.
1 IBM, X-Force 2016 Cybersecurity Intelligence Index.
2 IBM, X-Force Threat Intelligence Index 2017, p. 14.
3 Verizon, 2017 Data Breach Investigations Report, p. 48.
4 2017 Data Breach Report.
5 Jim Collins, Good to Great: Why Some Companies Make the Leap…and Others Don’t, p. 51.