4 min read

The Insider Threat Related to Cybercrime 

By Joseph J. Pangaro, CPM, CSO
 

Cybercrime is on the rise. Every organization, business, or individual that has a computer, smart phone, or any electronic web-based device or has information, data, trade secrets, bank accounts, or intellectual property on a digital file anywhere in the world can be a victim of cybercrime. 

Cybercrime is a huge area of concern. It involves theft using the digital world assets like computers. The thieves can be very sophisticated or very basic or anything in between. The world is, unfortunately, filled with victims just waiting to be scammed, tricked, or fooled into a vulnerable position that they can take advantage of. When it comes to corporate victim’s we find that they are just as likely to fall prey to a cybercrime which can be very costly indeed. 

In the USA alone there are thousands of companies that are not prepared or protected from the threats that can strike them. One of the most dangerous threats is the “Insider Threat”- a person in your organization that either purposefully or unwittingly opens your system to the criminals.  

The Insider Threat can be a person in your company that innocently answers a phishing email or the newest scam, the Vishing scam (Verbal Phishing using a phone call) and provides the cybercriminal with access to your systems, files, customer data, trade secrets, financial assets, or anything else you have stored digitally. It can also be an employee that purposefully sells your information, or access to your data for a host of reasons including, anger, jealously, revenge or for profit. In short, it can be anyone.    

As you can imagine the cost to companies is in the multi-millions of dollars every year, in fact then average cost to a small business is $58K a year; larger companies can lose millions. 

And while corporations and small business entities are a major target of Cybercrime, other organizations can also find themselves victimized, groups like our schools, religious organizations, and medical entities, who all suffer tremendous financial losses from Cybercrime attacks every year.  

Once we begin to see the scope of this problem, we can see the risk rise.  According to a report from NWAJtech.com, 76% of all businesses were under attack last year and the number is probably higher since many victims don’t report the attacks. This statistic is staggering and makes it clear you and your company could be next if you aren’t already caught up in it. 

Why isn’t every company prepared to prevent and deter Cybercrime? 

Unfortunately, like many areas of security preparation, many companies don’t see or truly understand the need for a Cybersecurity program, often saying it will never happen to them, or they cannot justify the costs of developing and implementing a proper Cybersecurity program in their company. This kind of thinking can and is very costly to companies everywhere.  

I would strongly suggest you discuss this with your team and at the very least have a cybersecurity threat assessment conducted at your company, so you understand the real vulnerabilities you have.  

At this point I hope you can see that you are vulnerable, you can be hurt very badly by Cybercrime, and you need to do something about that. The next thing to consider as it relates to Cybercrime hits a little closer to home; that being victimized by someone in your own company, an insider threat.    

So, who in your organization can be an insider threat? 

We see some commonalities when it comes to insider threats. They can be a disgruntled employee, they can be angry with the company for real or imagine slights, they can feel cheated or not valued or they might believe they are undervalued and being used by the company and not properly compensated. Some employees can do it for revenge, to get back at a supervisor or owner. There is money to be made in corporate espionage as well. Selling trade secrets, or company plans can be valuable to competitors and lucrative for the insider threat. Some individuals just do it for fun to see if they can hack your systems and some people may want to create their own financial benefit by using blackmail or ransom schemes against their employer.       

Lessons learned from previous attacks tell us clearly that anyone with access to your systems is a potential insider threat. To combat this threat, companies have to be aware of the potential and develop appropriate policy, procedure, and protocols to fight this expensive criminal enterprise that sees your company as fair game. 

So, what can companies do to protect themselves?    

Developing solid policy, procedure, and protocols for all use of company and personal equipment as well as access to company systems and data and ensure passwords are protected.  You should also consider these actions:     

  • Develop a data classification and handling plan and leverage data loss measures for high-risk data. 
  • Provide all employees, contractors, interns, or anyone else with legitimate access to your systems with training about Phishing, Vishing and Ransomware attacks.  
  • Develop a remote workers policy for accessing data and company systems and provide training that makes the concerns of cybersecurity very clear as well a way for employees to report concerns.
  • Conduct thorough background checks on employees, especially people who require access to sensitive data. 
  • Develop strict data access control protocols, so employees only have access to the information they need.  
  • Develop a “sign off” policy related to employee access and let them know that all network activity is logged and monitored and that they understand and acknowledge that user accounts and permissions are only for company related business. Set penalties for violations.  
  •  Develop strong internal network and system access permissions for all employees. Access permissions based on Job need should determine what an employee has access to and limit it to that specifically.   
  • Develop a very strong “Personal Device” policy and make sure that every employee knows the rules and limitations for using their own devices as well as what you consider appropriate work activity. Consider, providing a company owned device for at home or remote workers.   
  • Develop password policies and user account privileges. Routinely monitor employee accounts and access.  Make that all employee accounts and access is cancelled when an employee leaves your organization. Consider the timing of this cancelling of access to take place before they leave employment to prevent “Last minute thefts or violations”   

In a modern digital world, where the very survival of our companies depends on creating a secure environment for our data, information, trade secrets, and financial assets, we must take the threat of Cybercrime and the Insider Threats very seriously and we must take action now, today to protect ourselves. 

The next Cyber attack is only a key stroke, phishing scam, vishing scam, or insider threat attack away from seriously damaging your organization or destroying your business.          

If you have any questions or concerns about Cybersecurity threats you face or for training for your staff, contact me at Info@TrueSecurityDesign.com  

-Lt. Joseph Pangaro  

 

References:  

* https://smallbiztrends.com/2019/07/phishing-statistics.html 

++ https://www.nwajtech.com/11-steps-to-mitigate-the-risk-of-phishing-attacks/ 

Tags: Cybersecurity, Blog, Contributor