I always enjoy reading material written by security firms. Sometimes, they can really push the envelope in trying to innovate regarding cybersecurity. They often try to create new knowledge by using the data that they can obtain and analyze in their daily work.
Recently I have seen a report from an IT security firm that had profiled the six types of cyber criminals that represent the biggest threats to organizations. According to this firm, these are:
- The professional – the career criminals whose primary job is to use their computer skills to make money
- The insider – disillusioned, blackmailed or possibly over-helpful employees that can be a nuisance to the company they work for
- The mule – naïve opportunists that may, or may not, be paid to help criminals in their multiple endeavors
- The nation-state actor – individuals who work directly or indirectly for a government to steal sensitive information, disrupt enemy’s’ capabilities, or any kind of cyber-operation that could serve the interest of a nation state
- The activist – motivated to change the world via cyber operations; they are usually known as “hacktivists”
- The getaway – young adults, often script kiddies, who will be able to escape a trial, or a sentence, just because of their age
We can surely disagree with some of these categories. At least, there is space for discussion. Any typology opens up debate about the categorizations. For example, the “nation-state actor” could also be a “professional” since a nation state could easily hire a criminal to conduct different types of attacks.
Even though we can all agree to disagree, or agree to agree if you want to, this type of typology is still limited in scope and has one major drawback: it fails to classify those types of individual by the risk they represent. Of course, the professional and the nation-state actor are probably much more dangerous than the mule, or the gateway, but are they really the kind of cybercriminal that might target you specifically? Clearly the professional might write a script that will eventually target you, or your organization. But the real probability of having a professional targeting you is probably slim. Yes, it can happen, for diverse reasons, but this is at the end of the spectrum of cyber threats that you’re going to face.
What does that mean? It means essentially that if, you want to be ready to face the cyber-apocalypse, being prepared the face the “mundane threat” is probably much more important for you, or your organization than preparing for a “professional threat”. Why? Because mundane threats are more frequent, and even if they don’t seem to be as dangerous as a cyber-attack conducted by a professional, they might still do irreparable damage to your enterprise, or your reputation.
The Enemy Within
From that point of view, the worst kind of cybercriminals are the ones that are close to you. What does that mean? It means that the greatest threat that your organization will probably face is the insider threat. Disgruntled employees, corrupted executives, incompetent fellows, your organization is hosting a series of potential problems that might eventually disrupt your business.
For example, last time one of your colleagues left your office for another job, are you sure he didn’t steal information when he left? Are you are an “open business” that lets everyone use the Internet the way that they want, even using DropBox if they want?.
You see where I am going with this, right?
What Can You Do to Reduce the Risks of the Insider Threat?
There is no silver bullet to help you here, no perfect security. Sometimes, even though you did all the right things, bad things might still happen. That said, you still want to take some precautions. Here are three things you can do.
First make sure that no members of your staff have access to all the information present in your company – I am pretty sure the NSA has this rule duly noted now.
A second would be to implement a form of control on how the information present inside your organization can, or cannot be brought outside your cyber perimeter. The Montreal Police has learned the hard way that those kinds of measures are extremely important.
Lastly the most important thing is to not build your information security system solely on trust; unfortunately, humans tend to do human things, which involve, sometimes, less glorious actions. That means that your information security architecture shouldn’t be built entirely on the trust of the people present in your organization. Some kind of checks and balance must be present.
These three precautions just might save you from a big loss, and even worse.