Internal cyber attacks against companies are an increasing threat that costs tens of billions of dollars a year worldwide, can destroy companies, and sink the careers of many senior executives, warns an Oxford study.
Conducted by Professor David Upton of Saïd Business School and Professor Sadie Creese of Oxford’s Global Cyber Security Capacity Centre, the study found that while many organisations are intensifying their defences against external attack, these widely used safeguards are often ineffective against attacks involving insiders.
Such attacks from insiders, be they from employees, suppliers, or other companies legitimately connected to a company’s computer system, pose a more pernicious threat than external attacks.
Cyber attacks on corporations are on the increase. The 2013 cyber attack on Target, where Russian thieves compromised point of sale information, left the company with a potential loss of US$420 million, and affected 70 million customers, made headline news.
What is less well known however is that this attack came through an unwitting vendor who had authorized access to Target’s computers, and as such was an insider in their ecosystem.
Over the past two years Professor Upton and Professor Creese have led an international research project whose goal is to provide a significant step change on insider threat prevention and detection so companies can be better protected.
The study found that many managers were ignorant of the threat of insider attacks and the risks it posed from fraud, sabotage, intellectual property theft, and corporate terrorism.
The key to reducing their vulnerability, they say, is to adopt the same approach companies applied to improve quality and safety at the end of the last decade.
Steps to reduce risks
The professors recommend removing the reliance on the IT team and making it everyone’s responsibility to ensure critical assets are protected.
They also proposed five steps that managers should implement immediately to reduce the risks, namely adopting a robust insider policy; raising awareness; looking out for threats when hiring; employing rigorous subcontracting processes; and monitoring employees.
"We have burglar alarms installed to prevent people breaking into our houses," says Professor Upton. "But it’s the people we let through the door that are the problem. It’s the same for organizations. The principles used to defend against external threats just don’t work with insiders."
Upton adds that in recent years businesses have been letting more people into their houses – be it through the use of cloud services, Google drives, employees bringing their own devices to work, or through the proliferation of social media and use of big data.
Though these people may have a legitimate access to an organisation’s cyber-assets, the scope for them to exploit this or be exploited is hugely increased, Upton said.
"We found wide-scale global ignorance of the nature of the threat organizations face from internal attack, leaving corporate assets vulnerable, jobs and bonuses insecure, and reputations at risk," adds Professor Creese.