Internal Attacks and their Impact on Organizations

THE WORLD OF INFORMATION SECURITY

The World of IT is not safe. With the growing techniques of hacking and information breach, it’s possible to decrypt almost all kinds of codes. However, considerable amount of effort is being invested in protecting your information from breaches. Numerous information security firms are there to ensure every client organization is safe from external attacks.

How stupid would you feel if despite all your safety measures and monetary investments your data gets leaked out just because an end user was not vigilant enough or had malicious intent?

“Almost 40 percent of IT security breaches are perpetrated by people inside the company.” Estimates a Research conducted by the US Computer Emergency Response Team (Cert).

Well, Internal attacks are a real thing, and they can have devastating impacts on an organization in extreme cases. This is one of the reasons why insurance premiums for cyber-crimes are on the increase.

WHAT ARE INTERNAL ATTACKS?

An individual or a group of employees with system privileges and technical expertise may attack an organization’s system internally, if they can benefit from the disruption of system or exploitation of organization’s assets. The internal attacks may also be unintentional in most of the cases.

MOST COMMON INTERNAL ATTACKS

• Weak passwords

Generally, employees tend to be very careless about passwords. They may login to multiple sites with the same password, which can be exploited. Likewise, they keep their passwords simple, write them down in password hints, or give them over to unauthorized people or malicious websites. This non-skeptical casual behavior gives way to the success of phishing attacks.

Employees need to be trained on how their accounts can be exploited. Only then will they understand the importance of complicated passwords. Additionally, multi-factor authentications should be enforced for logging in to the system.

• Falling victim to Phishing Attacks

Attackers use social engineering to obtain passwords or other sensitive information from employees, who if untrained about phishing will easily give into those attempts. This may give attackers login credentials to access a system.

This problem is recurrent worldwide, for which a clear information security policy is needed in every organization which should be followed strictly.

The end users are the weakest component of a network system. Therefore, there’s a strong need of training sessions for employees to enlighten them about why certain measures are necessary and how phishing works, otherwise they may dismiss the security measures as unimportant.

• Fraud

Internal fraud can prove to be a very threatening act for an organization. It can be for monetary benefits or may harm an organization’s reputation if employees make fraudulent deals with people in the name of the organization.

Moreover, frauds may include misuse of sensitive information of the organization, leakage of private secrets or data of clients or even theft of intellectual property or plans of the organization, that could be sold to competitor organizations for monetary gains.

In extreme cases, some employees have been found to be working for external organizations who joined as intruders for leaking secrets of the company.

• Misuse of gadgets

Misuse of office gadgets is a common problem in offices. Even though it does not compete to an intentional cyber-crime involving attacks and viruses, it may damage a system as much.

Office staff tends to visit inappropriate sites when they are ‘surfing the internet’. These sites can be malicious or may exploit vulnerabilities to drop malicious backdoors on a system. Likewise, office gadgets can also be used to pass confidential data to unauthorized users.

LexisNexis Industrial Relations Services conducted a survey last year that found almost one third of UK firms dealing with disciplinary cases of internet abuse.

These information leakage attacks can also be unintentional, but they still require considerable amount of effort, assets and time to limit the damage caused by them.

To prevent misuse of intellectual property or personal data, proper internet monitoring strategies need to be implemented.

• Malicious downloads

The DTI’s latest InfoSec survey shows that 83% of the UK’s great firms have received infected e-mails or files, one-third of which carried 100 different viruses. Microsoft office or excel files are the new common means of zero-day exploits. Employees may compromise a system by downloading such unverified malicious files carrying viruses and malware.

Furthermore, downloads from the internet should be restricted to files from verified sources only. Without such restrictions and monitoring of their implementation, employees may download unneeded malicious software or games on the office gadgets which may compromise the system.

HOW TO PREVENT INTERNAL ATTACKS?

One of the most common practices against internal attacks is implementing an intrusion detection system. It should be configured to scan for both external and internal attacks. Moreover, access privileges of employees should be segregated, based on the requirement of their duties, to help protect against internal attacks.

Many kinds of software are available for automating the monitoring of online activities of employees to protect against internal attacks. Installation of updated anti-virus, firewalls and intrusion detection systems are some of the essential steps for keeping information security intact.

WRAP UP

Staff training is essential to keep an organization internally safe. Also, system monitoring is crucial for ensuring an organization’s safety. However, the approach must comply with active laws such as the Data Protection Act.

When monitoring is implemented, staff must be informed about the monitoring along with their rights and claims regarding the policies. This ensures smooth implementation of security, without being offensive to your staff.

There can also be internal attacks which are deliberate cyber-attacks, which will be discussed later.