Heading into September, it’s hard not to see certain recurring themes in this year’s data breaches. Over and over again, the same terms keep coming up: insider attacks and cyber extortion. Some, like the enormously visible Ashley Madison hack, even have elements of both. So when Gartner analyst Avivah Litan said in a recent interview that she defines insider threats and cyber extortion as the top two cyber threats of the past year, we weren’t totally surprised.
Cyber extortion is probably the hottest trend of 2015…They’ll get malware on the network, then they’ll lock up various files that contain sensitive information, they’ll extract the information from these files and then they’ll threaten to publish it or conduct a denial of service attack against the bank…The second big issue out there is that there’s insiders at all kinds of companies — banks, retailers, airlines — that are operating as free agents. Sometimes they’ll purposely get a job at one of these companies just to promote their business in the dark web.
Even though it isn’t surprising, hearing this confirmed is disheartening. Everyone is talking about it, and rightfully so. These threats are intimidating, and they’ve been such a big topic in the news over the past year (and beyond!) that the attacks are impossible to ignore. Kreditech, Adult Friend Finder, Morrisons, and JPMorgan are just a few victims of these kinds of data breaches.
We could go on to tell you about how the results of these breaches are potentially catastrophic, how some businesses never recover, or how many don’t even know they’re being attacked until it’s too late. But you already know all of those things, because they’ve been the focal point of conversation. You know what the risks are and you know how devastating an insider or extortionist attack can be. So, let’s move on to the more important, yet far more neglected, part of the conversation:
Let’s talk about what you can do about it.
First of all, it’s important to recognize that a levelheaded approach is just as important as recognizing risk. Lots of enterprise executives hear these statistics, see these horror stories, and immediately turn to lockdowns and intense employee scrutiny. Though this may be tempting, it just isn’t the answer. This kind of approach makes employees miserable and unproductive. Remember that although threat-prevention is critical, it does come second to an enterprise’s overall success and productivity. Treating one at the cost of the other is a recipe for disaster.
Instead, focus on rational ways of reducing your risk without impacting your overall company culture. Knowledge can go a long way. For example, take the Ashley Madison case. Since the story broke, there has been constant speculation as to who is responsible for the breach. When was the information stolen? How? By whom? These are all questions that Ashley Madison is unable to answer. As a result, their hands are tied.
Once you introduce knowledge more specifically, endpoint visibility and user behavior analytics into the equation, that changes the story. Visibility gives you the power to level the playing field. By being aware of suspicious changes of behavior among your employees and knowing which files are accessed, you get a jump start on any criminal activity. Just as importantly, you then have a clear timeline of what happened and who was responsible if a breach does happen.
The keys to effectively fighting these kinds of threats are knowledge and precision. Though protecting yourself from threats is obviously a top priority, enterprises also have a responsibility to their employees to implement that protection in the least obtrusive way possible. Just because something is an extreme solution doesn’t mean that it’s actually most effective, neither from a security nor a business perspective.
– Mohan Koo, Dtex Systems Founder/CEO
Remember to differentiate, however, between knowledge and Orwellian surveillance. Again, the key to fighting these threats is to stay calm and focus on deploying manageable, unobtrusive solutions. Intrusive employee monitoring can very quickly cause the same effects as oppressive lockdowns, which end up doing more harm than good. Respect employee privacy and focus on collecting the data that matters, not logging every click and keystroke. Not only is that method horrible for team morale, it’s ineffective. Swimming in millions of useless log records won’t help you. Targeting specific instances of suspicious activity will.
With new stories of insider attacks and extortionist breaches cropping up left and right, it’s hard not to get swept away. After all, lots of companies have dearly paid the price for not paying close enough attention. It’s critical, however, to make sure you don’t conflate “effective” with drastic. There’s no need to use a hatchet when a scalpel is more effective, less invasive, and less damaging. Most importantly, remember not to sacrifice the overall good of your enterprise in favor of tighter security. The absolute best way to fight any kind of threat, internal or external, is to keep a level head. The minute these attackers drive you to extreme measures, they’ve already won.
Ready to trade in your hatchet for a scalpel and create a security system that’s smart about data? Dtex can help.