En raison de la grève de Postes Canada, il y aura un délai dans la livraison des livres.

FREE Membership Sign in

JavaScript is disabled in your browser.

In order visualise this page, please follow these steps.

Proper training and controls can mitigate insider cyber threats

Visibility360, PDF version to share

By Susan Yellin | March 11, 2022, 10:38 a.m.

We’ve all heard real stories about external people that exploit cyber system vulnerabilities to plant malicious software and/or demand money, but it’s also important for firms to keep an eye on employees who have “at risk” behaviours that can cost the firm millions of dollars and harm a company’s reputation, a webinar has been told.

Cyber security expert Roger Grimes told a recent Investment Industry Association of Canada (IIAC) webinar that companies can suffer financially from either malicious or unintentional actions of outsiders. While statistics vary widely, some companies have predicted the cost of cybercrime to the world could reach $10.5 trillion a year by 2025.

From simple mischief to hacktivism

But there’s also a list of insider threats that vary from simple mischief to those trying to line their own pockets to those having unresolvable relationship issues with someone at the office. Add to that those who seek revenge from a former employer, as well as “hacktivists” who carry out cyberattacks in support of political causes, said Grimes, an author and self-described data-driven defense evangelist at KnowBe4 in Palm Harbor, Florida.

The 2021 Data Breach Investigations Report by Verizon states internal security breaches account for around 22 per cent of security incidents, a number Grimes said is “pretty high.”

But regardless of the percentage, Grimes said the biggest insider threat to a company is usually from someone who is already working in the firm and has enough permission and privileges to be able to do harm.

While these kinds of attacks are difficult to detect, it’s important for companies to bring in proper training and preventable controls, he said.

Predispositions and stressor events

“If you get somebody who has these predispositions and stressor events and concerned behaviours and then you have an organization that is inattentive then maybe it could escalate to a hostile act,” said Grimes.

He suggested prevention methods like making sure you hire the right person for the job and ensuring background checks are made on people as some may have been arrested before for hacking internally.

It’s also important to make sure employees take their vacations. Grimes gave the example of an older person in a company who was in charge of answering the phones, and constantly came to work even during “vacation.” A year after he left the company, Grimes found out that the person had been indicted for embezzlement while supposedly on vacation and so did other members of this person’s family.

He suggested companies provide incentives to some people and look for financial stressors, as well as offer positive, corrective action before it becomes serious.

He said there are a number of ways to lessen social engineering attacks by patching software or enabling Multi-factor Authentication that requires the user to provide two or more verification factors to gain access to a resource such as an application or online account.

The most popular in Society

Increasing numbers dependent on family to secure homeownership