While most IT security efforts are focused on preventing leaks, hacks and cyberattacks from the outside, the real threat to companies may be far closer to home


In one of the many flashpoints in the recent US presidential election campaign, the Democratic National Committee – the Democratic Party’s governing body – suffered an attack from unknown hackers. It total, 19 252 private emails and 8 034 sensitive attachments were leaked and published on the notorious WikiLeaks site. While a Romanian hacker named Guccifer 2.0 claimed credit for the attack, many within the Democratic Party suspected Russian intelligence groups.

Rival Republican candidate Donald Trump was quick to dismiss that. ‘It could be Russia,’ he shrugged during the first general election debate. ‘But it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed who weighs 400 pounds.’

Therein lies the problem with hacking: it’s virtually impossible to tell who’s behind an attack – no matter what Guccifer 2.0 tells you. Blame Russia, blame China, blame WikiLeaks… The cold, hard truth is that the hacker behind the attack on your (or your company’s) private data could be someone you know all too well.

It was, in a sense, inevitable that hacking would play a role in the US presidential race. Hacks, leaks and cyberattacks have been a feature of news reports for the past decade, with virtually no major organisation left unharmed. In 2013, 150 million Adobe customers had their information stolen, while Adobe itself lost the source code for many of its programmes. In 2015, Ashley Madison (the extramarital affairs dating site) lost many gigabytes of data, including highly sensitive user information. In 2016, an astounding 3.2 million debit cards were compromised in an attack on India’s major banks. Google. Gawker. Yahoo. MasterCard. Visa. Sony Pictures Entertainment. The list goes on and on.


Barely a month after that first presidential debate, millions of US internet users lost access to some of the world’s most popular websites as hackers bombarded and crashed servers on the East Coast. This time, hackers used the backdoor of interconnected household devices to execute the attack. ‘The joke about the internet of things was that you were going to get people hijacking people’s connected fridges to conduct these attacks, but in these recent cases the culprit seems to be webcams,’ Dave Palmer, director of technology at cybersecurity firm Darktrace, told Bloomberg News.

So that answers the question of how the hackers got in. But the bigger question is how hackers are getting data out of your company. In its 2015 Grand Theft Data report, global IT security firm McAfee wrote: ‘Most security studies and statistics focus on infiltration – how attackers are getting past security defences and into the network. That part of the attack is more visible, compromising machines and triggering events and alarms in the security operations centre. Until now, there has been very little information available on the less visible act of data exfiltration: how attackers are removing data. Whether you see it or not, data exfiltration is a real risk for most organisations.’

In its wide-reaching global survey (representing 1 155 organisations around the world), McAfee found that nearly half of serious data breach incidents are perpetuated by ‘internal actors’. In other words, it’s an inside job.

Inside job-1

Morrisons could tell you all about that. In March 2014, the British supermarket saw the personal details of its entire 100 000-strong workforce published online – including payroll data. Information about staff salaries, bank details and national insurance numbers were sent to several newspapers and posted on data-sharing websites. The data breach would ultimately cost the beleaguered company more than £2 million to rectify.

‘Initial investigations suggest that this theft was not the result of an external penetration of our systems,’ Morrisons said in a statement. And they were right – a year later, the culprit was found and jailed for eight years.

It wasn’t a Russian spy or a Chinese secret agent, or even an overweight dude sitting on his bed. It was, it turned out, a 43-year-old former employee named Andrew Skelton.

While working at Morrisons as a senior IT auditor, Skelton was disciplined (incorrectly, as it happens) for receiving packages at the company’s head office in Bradford. The company initially believed that one of the packages contained drugs, but the truth was that Skelton was simply buying and selling goods on eBay. It was a misunderstanding but Skelton was furious. He quit his job, writing in his resignation letter: ‘I have almost as little concern for the company as it does for me.’ Days later, he used his insider knowledge to execute the attack.

‘Spotting cybersecurity incidents arising from within a company can be particularly tricky because the perpetrator may have legitimate access – and in this case, they did,’ Luke Brown, vice-president/GM (Europe, Middle East, Africa, India and LATAM) at security firm Digital Guardian told ITPortal.

‘It’s the classic Trojan Horse scenario. There are numerous technologies out there designed to spot insider threats, and small investments can go a long way.

‘Deploying data-aware cybersecurity solutions removes the risk factor associated with disgruntled employees and insider threats because even if someone has access to the data, they are prevented from copying, moving or deleting it without approval.

Inside job_Infographic

Bear in mind the fact that millennials consider it completely normal to change jobs four times before the age of 32, with a notable minority now having more than one employer at a time. That generation – born roughly between 1980 and 1996 – today makes up an increasingly large part of the workforce. As those millennials hop from job to job, they take their mobile devices with them and (thanks to the bring-your-own-device trend) those smartphones and tablets are being used to connect to social media, download apps with security flaws, visit malware-infested websites and generally put their employers’ data at risk.

Morrisons had one well-placed disgruntled former employee and paid a massive price. But according to a 2015 survey by UK cybersecurity firm Clearswift, even the happiest of employees could pose a risk. Their survey found that 35% of employees would sell information on company patents, financial records and customer credit card details if the price was right.

After polling more than 500 IT decision-makers and 4 000 employees in Europe, Australia and the US, Clearswift was even able to pinpoint that exact ‘right’ price. ‘While people are generally taking security more seriously – 65% of employees said they wouldn’t sell data for any price – there is still a significant group of people who are willing to profit from selling something that doesn’t belong to them,’ Clearswift CEO Heath Davies said in a statement. ‘This information can be worth millions of dollars.

‘A case in point of the true value of data is the recent Ashley Madison hack, where user data was accessed by a member of their extended enterprise – part of their technical services team – according to the site’s CEO, the effects of which have been monumental. The site announced earlier this year that it hoped to raise $200 million in an initial public offering this year [2015] and it may have lost out on this opportunity, reducing the value of its entire business.’

So what can companies do? ‘With inside actors responsible for such a significant percentage of data loss, and half of that accidental, simple dynamic feedback can have a significant impact,’ McAfee’s report recommends. ‘For example, pop-up messages that let employees know a copy of their message is going to their manager and the security operations centre due to the content sensitivity can quickly and effectively reduce risky behaviour.’

McAfee also suggests focusing on basic security practices, such as employee training and awareness. ‘Those with more experience realise that poor user security practices are still the biggest single threat to enterprises,’ it states.

Of course, if that doesn’t work, you could try asking your younger employees to leave their mobile phones at home or keeping your senior staff from turning into disgruntled ex-employees.

By Mark van Dijk
Image: Mr.Xerty ©