According to reports this week, the theft of more than $15 million from UniCredit in China came to light late last year, when cybersecurity loopholes were exploited to access clients' money. "UniCredit regrets this incident and apologizes to those affected," said a spokesperson. "The safety and security of our clients’ assets is our primary concern and all efforts have been made to ensure that a similar malicious incident cannot reoccur."
A U.K. government report published last week reported that "32% of businesses identified a cybersecurity attack in the last 12 months," and almost half of those attacked were attacked monthly. A director at the country's National Cyber Security Centre warned that "the cybersecurity landscape remains complex and continues to evolve, and organizations need to continue to be vigilant."
Under the hood or inside the tent
When we think of cybersecurity, we think of hackers hidden in online shadows, we think of the dark web, we think of malware, phishing attacks, social media fraud. We also think of nation-state bad actors. In January, the Director of National Intelligence told U.S. senators that Russia and China pose the biggest cyber threat to the United States. Last month, the U.K. acknowledged "a cyber incident affecting [major] organizations in late 2018, with "Iran being blamed for a wave of cyber attacks that targeted key parts of the U.K.'s national infrastructure in a major assault just before Christmas."
No doubt organizations up and down the country immediately locked their doors and windows and updated their firewalls and wifi passwords. Unfortunately, even as the focus remains on faceless, external threats, the issue is actually much closer to home. As many as one in five cyber attacks and data breaches come directly from insiders, from employees, from so-called privilege misuse, and when the extended enterprise is taken into account, the numbers are far higher than that.
The UniCredit theft was perpetrated by an employee of the bank, who allegedly used a supervisor password to fabricate transactions, and it followed similar cyber embezzlements at China's state-owned Postal Savings Bank of China and at "a rural bank in the northern Jilin province."
No safety in numbers
As many as 87% of executives now "cite untrained staff as the greatest cyber risk to their business," claimed an industry report last October, "with staff training ranked among the categories to have made the least progress when measured against the NIST's cybersecurity framework." The report ranked insider threats (87%) ahead of malware/spyware (81%), phishing (64%), external unsophisticated hackers (59%) and cybercriminals (57%).
As explained in Verizon's Insider Threat Report, "external actors - outsiders trying to break into your organization’s systems - deserve real defensive effort and attention. But employees and partners can do just as much damage from the inside. Whether from malice or negligence, the results can be equally devastating." Verizon's report suggested that insider cyber attacks, so-called 'privilege misuse', accounted for around 20% of all cybersecurity incidents and nearly 15% of all data breaches in 2018. Second only to DDoS attacks.
There is a clear differentiation between careless and malicious employees, between lazily clicking links and actually stealing information or setting out to damage a system. And where it is malicious, "insiders have advantages over external actors seeking to circumvent security: insiders often enjoy trust and privileges, as well as knowledge of organizational policies, processes and procedures. They know when logging, monitoring and auditing are used to detect anomalous events and behavior; and that it’s difficult to distinguish legitimate and malicious access to applications, data and systems."
The true insider problem, though, is even worse than that.
Research from last year by the company Clearswift suggests that "direct threats from an employee within the business - inadvertent or malicious – now make up 38%, of [cyber] incidents." The company went further and surveyed IT decision-makers in Europe and the U.S. to look at the "true insider threat," which added inadvertent and malicious threats from the extended enterprise of customers, suppliers, and ex-employees. Taking this broader measure, the number is actually 65% in the U.K. and 80% in the U.S.
"The results once again highlight the insider threat as being the chief source of cybersecurity incidents," a company spokesman said. "Three-quarters of incidents are still coming from within the business and its extended enterprise, far greater than the threat from external hackers. Businesses need to shift the focus inwards."
In a world where "one in three small businesses admitted to not having any cybersecurity strategies in place at all and more than three quarters have no policy for controlling access to their data systems," this should give some serious pause for thought.
