The Ascertus Security Thought Leadership Series
Security Awareness and Training on ‘Accidental’ Risks Key to Minimising Insider Threat
Insider threat is growing, especially as law firms increasingly adopt newer digital technologies to conduct business. According to the Ponemon Institute, two out of three insider threat incidents occur by accident.The most common cause of insider threat is employees clicking on phishing emails because they are unable to recognise whether that email is from a genuine source. The other major culprit is employees’ own devices that they bring to work. When firms allow staff to bring their own devices to work and connect to the network, then the security is only as strong as the software on those personal devices. If a device has malicious software on it, then the firm’s entire network could be compromised. The same applies to removable devices like memory and USB sticks. Often employees will use USB sticks that are lying around in the office and without knowing where they have come from, some of them could be spurious.
This said, the definition of ‘insiders’ goes beyond employees. For instance, a bonafide visitor to the firm connecting to the Wi-Fi network would pose risks to the firm, if the device being used is infected. From a physical security standpoint too, insider threat may come from service providers to the business such as cleaning staff, couriers and so on.
Here are some measures for firms to consider to mitigate insider threat:
1. Training – In addition to security awareness training, firms need to provide training that specially addresses ‘accidental’ security threats. Furthermore, training needs to be personal so that they understand the security implications to them, both at work and outside. This is important in today’s environment where people are increasingly working remotely or when on the move. For example, losing critical business data could be akin to an individual losing precious family photos that they might never get back. This approach, where by parallels are drawn of the implications of a breach between work and personal life, will lead to the much-needed cultural and behavioural change towards cyber security.
2. Mobile working policy – Routinely, lawyers on the move send emails and documents from airports and coffee shops using free Wi-Fi connections, which are not encrypted to a significant level. A cyber criminal could potentially use applications such as Pineapple to steal data from public Wi-Fi networks. Firm policy should be clear – employees must only use VPN or 4G connection to access and send sensitive data when working from out of the office. No using free Wi-Fi!
3. BYOD policy – Any personal device that is used must always be updated with the latest software so that when it connects to the firm’s network, the tool doesn’t compromise its security.
4. Password policy – A secure password policy is essential. Additionally, if the firm’s password policy is to change the password every month, it becomes difficult for staff to remember it, in which case they start writing it down, which then becomes a vulnerability. Mandatory password changes should be reduced to 6-12 months. Also, firms should move away from single passwords (the national guideline is ‘three random words’) and towards two-factor or multi-factor authentication such as password + token, card, biometrics and so on.
5. Back-up data and test – Multiple backs up of data is critical. Firms may back-up to the cloud, but there must also be hard copy of the same. Often organisations run back-ups, but never test it. So, when there’s an issue, they find that the data is corrupted. Regular testing of backed-up data must be an intrinsic part of firms’ cyber security regimen.
Finally, it’s worth pointing out that security measures must never be used as a disciplinary tool – it’s a mistake that many firms make. Security today demands a mindset change among people for it to be effective. Involving staff in security policy development and ensuring they understand the implications of their actions, both for the firm and them personally, is a better and more effective approach.
About Shelton Newsham
Shelton Newsham is a manager and lead at the Yorkshire and Humber Regional Cyber Crime Team, advising public and private sector and individuals (including at Board level) on threat mitigation. He is a Certified ISO 27001 ISMS Lead Implementer, ISMS 27001 Auditor, Certified in information Security Management Principles (CISMP), ISO 22301 BCMS Lead implementer and Certificate of the Business continuity institute (CBCI). With over 17 Years’ experience in law enforcement, Shelton has extensive experience in incident response, critical incident management, intelligence assessments, threats to life, incident investigation, safeguarding the vulnerable, public order, and large-scale operations, working at a strategic level.