“IT managers and the C-suite may not realize that the likelihood of their server being compromised at some point is akin to death and taxes,” says Randy Battat, CEO of encryption software company PreVeil.
We’re inclined to agree. The IT sector is growing, and it’s only going to get bigger. Experts estimate it will reach a whopping $3.5 trillion this year. And cybercrime is growing just as fast—if not faster.
But what many companies don’t realize is that internal hacking can pose almost as much of a threat as external attacks. Businesses are in a bad habit of ignoring the internal threats and only investing in guarding themselves from the external ones—and you can’t really blame them. The World Economic Forum estimates that cybercrimes cost the global economy $445 billion in 2016 alone. No wonder HackerOne, a vulnerability coordination and bug bounty platform, earned $15 million since 2012 by hacking into corporate customers and discovering their vulnerabilities.
Yet, while white-hat hackers aim to tackle external threats, some of the biggest hacks have come at the hands of those on the inside. Whether malicious or unwitting, the enemy could be sitting in a cubicle down the hall. It’s estimated that a full 43 percent of data breaches are caused by internal hacking or other insider threats—and as the IT landscape grows, so too, do the chances of being compromised from the inside.
1. Watch those emails
Wading through email usually tops the list of most hated tasks in the workplace when getting to inbox zero is considered a gold standard. And that’s likely why it became such an easy target for some of the biggest internal hacks.
Earlier this year, a hacker posing as the CEO of solar company Sunrun wormed their way into the payroll department through an email requesting employees’ W-2 forms. The timing—late January, when companies typically issue the forms—made it easy for a worker to look past the phishing scam and send the forms out to the hacker. Unfortunately, that exposed “a substantial portion” of the company’s 4,000 current and former Social Security numbers and salary information.
A similar scam unfolded at media company Mansueto Ventures when some employees unwittingly clicked on an email attachment that let hackers steal their coworkers’ wage information and Social Security numbers. In this case, the stolen information of about 90 percent of the staff was quickly used to file fraudulent federal and state tax returns in hopes of skimming any refunds.
It’s easy to see how this type of attack could unfold. When an employee receives an email from an executive that demands a quick response, they’re not always checking to make sure the address of the sender is valid. To avoid this type of attack, email security and phishing awareness training are an absolute must.
2. Double-check who has security clearance
Sometimes, even the employees you trust most can betray the company. Jonathan Ly, a former IT employee of publicly traded Expedia, stole passwords and hacked into the CFO’s and head of investor relations’ devices between 2013 and 2016. From there, he was able to remotely access confidential emails and documents that led him to make a string of stock trades for a profit of $331,000.
More recently, a Wall Street IT engineer was arrested when authorities found out he installed malware on the company’s servers. He told the FBI he only wanted to see if a potential acquisition might leave him out of a job; however, he also had the encryption keys necessary to use his employer’s trading platform and algorithms.
As Marc van Zadelhoff advises in Harvard Business Review, IT managers should prioritize security risks that employees represent. “In particular, monitor IT admins, top executives, key vendors, and at-risk employees with greater vigilance,” he says.
3. Beware of bugs
Sometimes, it’s not a human on the inside, but a bug in the trusted software that leads to an “internal hack.” Take the case of Cloudflare. Back in February the internet infrastructure company that serves about 6 million customer websites, including OKCupid and Fitbit, said it discovered a bug in its platform that was randomly letting customer data out. Although a patch was put in place immediately, the personal information could have been seeping out for months.
While some of that data would be hard to monetize, a bug or a damaging attack affecting a company like Cloudflare can impact—and potentially endanger—a significant portion of the web, so make sure you keep an eye on the programs you’re using.
4. Secure the servers
Wired also reported that conservative data firm Deep Root Analytics misconfigured a voter database hosted on an Amazon S3 server, exposing more than a terabyte of voter information for anyone on the web to see. This massive breach made it into Wired’s list of the year’s biggest cybersecurity disasters in a report that states, “Misconfiguration isn’t a malicious hack in itself, but it is a critical and all-too-common cybersecurity risk for both institutions and individuals.”
What do all these internal hacking incidents teach us? For one, cyberthreats can come from the most unexpected places—like the print environment. We need to start looking for cyberthreats everywhere, not just from where we expect them. Even companies that have standard cybersecurity practices in place can be breached in unexpected ways—as we’ve learned from Target, Home Depot, and even HBO.
“Passwords are obsolete and even dangerous,” maintains Randy Battat of PreVeil. “And, for that matter, so are current encryption methods that make it possible to access emails as they travel or reside on the server,” he says. An entire enterprise can be brought down by something like that, especially if it lacks the proper defense. If you want to protect your company, start following these tips today and be as proactive as possible. Soon, you’ll be clotheslining cyber attacks left and right—they won’t stand a chance.