Insider breaches on the rise: How to get a handle on human error

Themen:

14. Feb.. 2020

The big headline-grabbing stories of IT security breaches tend to focus around shadowy hackers or nation state operatives pushing buttons and pulling strings in the background. But the truth is that many security incidents these days come as the result of human error inside the breached organisation. In fact, new research claims that 90% of breaches reported to the UK data protection regulator last year were down to insider error.

As organisations build out their digital infrastructure and IT systems continue to expand and grow in complexity, the trend will only escalate. IT leaders need to step in now with a blend of improved employee training and next-gen tools designed to catch configuration errors.

The inside track

The analysis of data breach reports filed with the Information Commissioner’s Office (ICO) in 2019 revealed phishing to be the single biggest cause of incidents, accounting for nearly 46%. Now, although these are the work of external hackers, they fundamentally take advantage of the credulity of employees in clicking through to divulge their logins or unwittingly install malware onto the corporate network. Verizon claimed in its Data Breach Investigations Report for 2019 that a third (32%) of breaches the preceding year were caused by phishing. It reported that a slightly higher figure (34%) could be explained by “insiders”.

Employees can do more wrong than merely clicking on a phishing link, of course. A further third (33%) of breaches reported to the ICO were labelled as “unauthorised access”. Although it’s impossible to know for sure how much of each attack was made possible thanks to human rather than technical errors, the former is often easier to take advantage of. And cyber-criminals are always looking for the quickest and easiest route to drive ROI.

In this context, poor password security is one of the biggest threats to organisations. Weak, easy-to-guess credentials that are used across multiple accounts offer hackers an opportunity to use credential stuffing tools or other brute force methods to crack open corporate accounts. Once inside, they offer a beachhead from which to spread further phishing messages, attempt BEC scams, and/or go searching for high-value data stores.

IT on the rack

This is only one piece of the puzzle. IT staff are increasingly also to blame for data breach incidents. The culprit in many cases is the growing complexity of hybrid cloud environments. Around 85% of companies are now using multiple clouds, while three-quarters (76%) deploy between two and 15 hybrid clouds, according to IBM. Whereas the cloud was once thought to streamline IT and improve operational efficiency, in many cases it’s arguably starting to create the same problems associated with legacy on-premises environments: complexity, sprawl and silos. In-house IT staff simply can’t keep up.

It’s no surprise that misconfigured cloud servers and related infrastructure are an increasing cause of data leaks and security breaches. In 2018, an estimated 990 million records were exposed this way, amounting to 43% of the total lost or leaked that year. Last year, a misconfigured web application firewall (WAF) was blamed for the Capital One breach that compromised the personal data of 100 million banking customers and applicants.

What happens next?

The bad news is that insider breaches cost a lot. Some reports suggest up to $9 million on average per incident, while others claim that costs have risen 15% between 2018 and 2019. According to Accenture, the increasing prevalence of contractors and remote working has made the problem even more acute. It may even be a lot worse than we think: studies cited by the IEEE claim that 70% of insider attacks are not even reported externally, “including many of the most common, low-level attacks.”

So what happens next? As usual, there’s no silver bullet solution to these challenges. A mundane combination of people, process and technology is the best approach to mitigate the risks associated with human error. That means:

Investing in phishing training tools for all staff, from the board room down — including contractors and temps

Complementing the above with advanced email security featuring traditional capabilities to spot bad sender domains and malicious links/attachments, combined with AI features to detect malicious intent

Choosing compliance orchestration or posture management tools to continually monitor, assess and remediate any configuration errors in the public cloud

Phil Muncaster

Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.

Follow Phil on Twitter and connect with him on LinkedIn.