Yesterday, the hackers who stole sensitive user data from the online extramarital affairs website AshleyMadison.com released their 9.7 gigabytes of stolen data. The trove of sensitive information includes account details for some 32 million user accounts, including addresses, phone numbers, and partial credit card and payment information.
So how was a company built on keeping secrets, and which promises “100% discreet service,” caught defenceless against a data breach that threatens the fundamentals of its business? CEO Noel Biderman of Avid Life Media, which owns the website and several others, believes it’s an inside job. When the data breach was first announced last month, Biderman said: “It was definitely a person here that was not an employee but certainly had touched our technical services.”
Kevvie Fowler, Partner at Advisory Service, Forensic at KPMG, says the number of insider attacks on companies being driven by external influences is on the rise. “People on the outside find it easier to have someone on the inside provide them with the data in order to steal information through extortion or ransoms,” says Fowler. “Even employees with good intentions can be manipulated by these cyber criminals that come from outside or inside the organization.”
Last year, security firm AlgoSec’s threat survey said 73% of security managers cited insider threats as their biggest concern in 2014, up from 62 per cent in 2013. Fowler says insider attacks are usually driven by financial gains, disagreements between the employee and employer or regarding organizational policies, and in some cases revenge.
In order to prevent a data breach, Fowler recommends companies to take the following steps:
1. Identify the data desirable to criminals
You need to know what they are and where they’re located, says Fowler. “Without knowing where the information is, you don’t know what controls to put in place to help prevent unauthorized disclosure of that data,” he says.
2. Control access to sensitive data
Fowler advises to only grant people with a business requirement to access the information as a way to lessen the risk. “This also serves as a deterrent,” Fowler says, “keeping people who aren’t authorized to view that data from getting access to the information.”
3. Encrypt your data
Protect the information by restricting access to the data by network permissions, encryption or tokenization.
4. Make monitoring known to employees
Log-ins serve as a deterrent to employees when they know their actions are actually being monitored, Fowler explains. “Ensuring there’s awareness regarding what information they’re accessing lets employees know that there are controls in place to monitor who has access to what files,” according to Fowler.
5. Perform background checks on employees
Fowler advises companies to perform background criminal check on employees when they’re hired to identify the high-risk workers.
Companies also need to identify existing employees who started in the organization with good intentions, but are slowly becoming the high-risk sources of attack by examining their behaviour. He says usage of gambling sites and political sites are triggers that can push employees to become a higher source of organizational risk.
Software solutions are also available to organizations to fight insider attacks. Ottawa-based Interset, for instance, offers companies a way to detect insider and outsider threat by using behavioural analytics, machine learning and risk forensics.
- The Ashley Madison hack is yet another wake-up call on data security
- INFOGRAPHIC: The global landscape of cybercrime is shifting
- Stop using anything on this list of the year’s worst passwords
- Meet the made-in-Canada anti-counterfeit sticker of the future
- Why we should be able to pay for better privacy online