What are internal cyber security threats?
Shockingly, around 22% of cyber security incidents are caused by internal threats. However, companies too often neglect to consider the risk of internal threats, even though they can result in critical data breaches.
Internal cyber security threats are threats posed by individuals that originate within an organisation itself. They can be current employees, former employees, external contractors or vendors. Essentially anyone who has access to company devices or data. This form of data breach involves an internal attacker accessing sensitive company information with malicious intent. Attackers can include both current and former employees.
There are many forms of data misuse by individuals that can pose a threat to organisations. They often rely on a user having access to networks and assets to disclose, modify and delete sensitive information. Some of this information could include:
- Organisations security practices
- Login credentials
- Customer & employee data
- Financial records
Due to the nature of internal cyber security threats, traditional preventative security measures are often rendered ineffective.
Why do people carry out internal security attacks?
Individuals that pose a threat to an organisation may have very different goals from external cybercriminals. The main motivations of internal threats include:
Fraud: The theft, modification or destruction of company data with the goal of deception.
Espionage: Stealing information for another organisation (generally a competitor).
Sabotage: The use of legitimate access to a company’s network/assets to damage or destroy the company’s functionality.
Intellectual Property Theft: The theft of a company’s intellectual property, with the intention of either selling or utilising the property.
Revenge: Employees who have been fired or otherwise made unemployed by a company may seek to damage the company’s reputation by accessing sensitive information.
It’s important to note that not all internal threats are carried out by malicious parties. Many times internal threats arise from employees who unintentionally or carelessly expose sensitive company information. This is why employee training and education are critical in combating the risk of data breaches.
There are numerous ways in which employees can inadvertently contribute to data breaches:
Phishing or social engineering victims: Phishing involves an attacker sending fake communications to an employee, usually posing as a legitimate company. The user is then persuaded to supply credentials or details, through a fake login page or directly. By releasing sensitive credentials or data, users can inadvertently provide 3rd party criminals access to private systems. You can learn about the most common types of phishing attacks here.
Using unauthorised devices: The use of unauthorised devices can pose a huge risk for security teams, especially given the difficulty in monitoring them. USB sticks are an example of a seemingly harmless device that employees might not consider to be a breach of security. However, an infected USB drive has the ability to provide remote access to 3rd party hackers who can then attempt to access sensitive company data.
Using unauthorised software: As with unauthorised devices, employees may choose to use 3rd party software for legitimate business purposes. The threat arises from illegitimate or pirated software that can include malware and backdoors allowing access to attackers.
Loss of company devices: The loss of unsecured/unencrypted company hardware is an extremely common cause of data leaks. Heathrow Aiport was fined £120,000 for “Serious” data protection failings when an employee lost an unencrypted USB storage device containing highly sensitive information.
Improper Access Control: Managing access control is vital in combatting insider threats. Whether it’s managing internal users’ access, third-party access or revoking ex-employees’ access, managing access is critical. The process of managing access control can easily be overlooked but can cause huge issues if incorrectly implemented.