The COVID-19 pandemic has seen more employees working from home than ever before – but what would you do if malicious workers decided to steal data because nobody is watching them at home?
A surge in attacks by opportunistic insiders is just one possible scenario that Charles White, a former US Army human-intelligence officer, believes could emerge as massive changes in working patterns, exacerbated by increasing financial stress, drive some employees to consider data theft that they never thought they could get away with before.
“Change causes people to do different things,” White told Information Age, “and it can start with something as simple as trying to go to a website that they shouldn’t go to, and not getting blocked.”
Simple curiosity often turns into something far more problematic as some employees push the boundaries – often egged on by malicious outsiders offering money, or by baser motives like curiosity or revenge.
With passwords to privileged-user accounts providing unfettered access to valuable corporate systems, the risks of conventional ‘keys-to-the-kingdom’ security have never been higher.
Once they sign on, staff – as well as trusted supply-chain partners, contractors, and service providers – can easily copy valuable corporate intellectual property, steal sensitive operational and financial data, or even launch ransomware attacks that can shut down the business.
The biggest risk isn’t where you think it is
Insider threats have become more common in recent years, with Verizon’s Data Breach Investigations Report (DBIR) noting the proportion of attacks increased from 25 per cent in 2016 to 34 per cent in 2018.
The newly released DBIR 2020 pegs the figure at 30 per cent of all breaches during 2019, down slightly from the previous year.
However, with COVID-19 work-from-home mandates pushing IT staff to protect millions of at-home workers, White believes the current situation could be the catalyst for another surge in opportunistic insider attacks.
Remote workers “can get a sense of invulnerability due to the perception that their systems are more vulnerable,” explains White, who now serves as chief technology officer with data-encryption firm Fornetix.
“A disgruntled someone who might previously have written nastygrams on the glass door, now may feel they can get away with it, because security staff are so concerned about keeping things running that they’re not paying attention to what’s happening on the backside.”
Yet fully 68 per cent of respondents to a recent Cybersecurity Insiders survey said they feel vulnerable to insider attacks, with 63 per cent nominating privileged users as the biggest insider risk to their organisations.
Similarly, a recent Newsweek Vantage survey found that executives believe employees are a bigger threat than even cybercriminal groups – nominated by 52 per cent and 47 per cent of respondents, respectively.
Only a quarter believe their existing security is adequate, and 30 per cent reported having encountered employee resistance to security-focused cultural change.
If employees won’t support cybersecurity improvements, what’s a security executive to do?
Building a new model of trust
White is among the many security-industry pundits rallying behind the ‘zero-trust’ model, which flips conventional security on its head for a network access model that assumes users can’t access data unless they – or their devices – can prove otherwise.
Instead of providing access to anyone with the right password, zero-trust models make data inaccessible – for example, by encrypting it at rest – and provide temporary keys to those that have passed its checks.
Access can be revoked in a heartbeat if a ransomware attack, cybersecurity breach, or even unauthorised copying is detected – potentially stopping a malicious insider in their tracks.
Half of Australian and New Zealand companies are currently working on zero-trust deployments, according to a recent Okta survey, with security executives revisiting cybersecurity strategies that have long been based on protecting data at endpoints: users’ phones, tablets, computers, and other devices.
As COVID-19 inspired remote working becomes permanent for many, White said, new security models will focus on protecting data as it moves between those points.
“We need to make it so that when users are accessing that data, we know where they were and when they did it,” he explained, “and we need to ensure that control over access to that data can be given or taken away based on operational needs.”
“At the end of the day, it’s all about the data.”