On July 24, a massive cyberattack took down COSCO Shipping’s U.S. network, extending to its communication with Canada and numerous Central and South American countries, including Panama, Brazil and Argentina.
As of press time, COSCO officials had not revealed if they knew who committed the attack, but coverage of the breach has been extensive. While cyber threats come in all shapes and sizes, the supply chain industry’s efforts have been primarily on identifying and preventing these types of attacks, which come from the outside.
Isaac Kohen, founder and chief technology officer at Teramind, a software provider that specializes in user behavior, is more concerned about the risk companies face internally.
“The focus of the industry has always been to identify and prevent attacks from the outside, so you have firewalls and anti-malware, things that prevent attacks from a party that’s not really related to the company but is trying to get access. What we’re focused on is how insider behavior shapes the company’s risk profile in terms of cybersecurity,” he explains.
Insider threats are seen in two forms—either negligent or malicious employee behavior, both of which can compromise sensitive company data.
For example, a negligent insider is someone with legitimate access to company information who unintentionally shares it with an outside source. This happens most often with employees who open phishing emails.
“The attack was initiated from the outside, but they use an insider’s legitimate access to gain whatever it is that they’re looking for inside the company,” Kohen explains.
In contrast, a malicious insider is someone who for whatever reason wishes to cause the company harm by indirectly or directly selling the company’s data or taking revenge on the company.
“These days it’s more common to have a successful insider-based attack than to have a successful attack from the outside,” Kohen says.
In fact, in the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.
Most companies, however, are more apt to keep these types of security threats under wraps, because as Kohen notes,“it brings shame on them thinking they have created a culture that would allow an employee to do this.”
These things do happen, though, and often times culture has nothing to do with it. A large manufacturer in New Jersey recently experienced a malicious insider threat, where sensitive corporate information was stolen. The manufacturer previously had a legacy employee monitoring solution that its IT director says was “not efficient, nor user-friendly.”
Following the incident, the manufacturer rolled out a small pilot group through Teramind. Its goal was to protect intellectual property and customer data against exfiltration. Soon after, Teramind was able to provide the proof required to identify the malicious insider who was leaking intellectual property and other sensitive data.
“Knowing that data was leaving the organization, but not knowing how or by whom, the IT director was able to review comprehensive historical data reports generated by the Teramind monitoring software. Teramind delivered the IT forensics required to pinpoint both the user and the method of data exfiltration,” the company explains in a case study, Detection, Investigation and Elimination of Company Insider Threats.
Like any cyberattack, the release of sensitive company data can have adverse effects on brand reputation and come with the risk of liability concerns.
“Imagine if it were patient records or credit card numbers or other highly regulated data that is illegal for companies to exfiltrate; that would be a very big problem for a company. They would face regulatory compliance, as well as reputation damage,” Kohen explains.
The release of confidential data can also have negative business impacts. For example, an employee releasing its company’s CRM customer list to a competitor could create a significant financial loss.
“These three things combined can really bring a company to its knees and are something that should be taken very seriously,” Kohen adds.
Prevention is a very difficult thing to achieve, Kohen says, but he notes there are ways to make insider cyber threats difficult to pull off. He suggests the following methods, which can help companies detect the early stages of exfiltration attempts:
Create a watch list of employees who are behaving in a suspicious manner, such as reduced productivity or increased time on LinkedIn. Alerts can be triggered based on user internet usage.
Implement as much automation as possible, including software that provides anomaly detection. Computer automation prevents companies from infringing on employee privacy because a computer doesn’t care what your employees are looking at online. It is only looking for certain suspicious behaviors.
Augment automation with rules for behaviors that you know should be illegal. For example, management could be alerted if an employee sends an attachment to a competitor’s domain, or they send an attachment that came from the company’s CRM to an email outside of its domain.
“You have to build a layer of automation around what is sensitive for you,” Kohen says. “The ideal program would be using protection from the outside (i.e., firewall) in addition to something from the inside that can accommodate both these discretionary rules as well as anomaly rules.”
He adds that while it is important to trust the people you work with, in today’s increasingly competitive and global business environment it is important to be cautious.
“As companies grow, you lose touch [with employees]; you don’t know everyone in the company and what they are going through,” he explains. “You don’t have to be suspicious of your employees to start a program like this, but if you don’t have it and something does happen, then you’ll be at a very big disadvantage.”
Follow Amy Wunderlin on Twitter.