The root cause of data breaches is shifting, writes Jon Fielding, Managing Director, EMEA, Apricorn, which offers encrypted portable and desktop drives, and emcrypted flash keys.
There’s no room for complacency in cybersecurity due to the constant shift in tactics, techniques and procedures employed by attackers to accomplish their goals. For example, we’ve seen ransomware increase to become a major attack vector only to fall away as authorities clamp down on ransomware gangs and businesses decline to pay. As a result, many ransomware operators are resorting to pureplay extortion.
Ransomware, together with phishing, have long taken the top spot when it comes to the methods responsible for data breaches. But they’ve now been toppled off the top spot by the insider threat, which is now twice as likely as phishing to be the cause.
A recent survey by Apricorn of over 200 IT security decision makers found insiders were the biggest threat with 40pc citing these (22pc unintentional and 20pc intentional) as the main cause of a data breach within their organisation. This compares to almost a quarter (24pc) of breaches resulting from ransomware attacks, a fifth phishing emails (21pc) and lost/stolen devices (18pc).
The findings are corroborated by the latest figures from the Information Commissioner’s Office (ICO) Data Security Incident Trends report which tracks data breaches reported up to the third quarter of 2023. These reveal that 16pc were due to data being emailed to an incorrect recipient – a non-malicious insider and 12pc were due to unauthorised access, with 11pc due to ransomware and 8pc phishing attacks.
Open sesame
What this suggests is that cyber criminals are getting access to data without the need to launch attacks. This is confirmed by the IBM X-Force Threat Intelligence Index 2024 which declares that the most common means of access for attackers is logging in rather than hacking into networks, equivalent to 30pc of all incidents last year. It’s an assertion supported by the Apricorn survey which suggests malicious insiders are to blame in providing access credentials, with 70pc of corporate breaches traceable to employees.
So, why are we seeing this change? Clearly there is less risk of discovery and higher chances of success when it comes to using legitimate log-ins. There’s no need to dedicate time and resource to overcome security defences and the downward shift in the economy has seen inflation increase faster than wages, creating a workforce susceptible to bribery and corruption.
The ISC2’s Cyber Workforce Study 2023 reveals that 52pc of those questioned had experienced an increase in the insider threat over the past year, with 71pc attributing this to economic uncertainty. Moreover, 39pc said they or someone they knew had also been approached by a malicious actor, revealing that there is widespread recruitment. Brazen attempts to recruit insiders have even been reported from social media and communication platforms such as Telegram.
But we’re also still playing catch-up when it comes to adjusting to new working practices, namely remote and hybrid working. The Apricorn survey found that 48% of mobile workers knowingly put corporate data at risk of a breach last year and 51% of organisations expect them to expose their business to the risk of a breach going forward.
Lax controls
Despite this, few organisations have taken steps to address the threat. Only 14pc control access to the systems and data that remote workers use. Even those 24pc who said they require employees to receive approval to use their own devices admitted they do not then apply any controls. Some take a completely hands-off approach, with 17pc not requiring any approval or applying any controls. So, its small wonder that 22pc of security leaders admitted they had no control over where company data goes.
So what steps should organisations take to reduce the risk of a data breach caused by insiders? Firstly, it’s worth stepping up staff awareness training to ensure that everyone has a security-first mindset regardless of where they are working from. This is vital as one of the biggest issues in inadvertent data exposure is the sidestepping of security measures; often users simply want to get the job done and so resort to workarounds without realising what’s at stake.
Training should include legal reminders of obligations under the Computer Misuse Act (CMA), under which users passing on credentials to a third party in return for payment would be breaking the law. And it’s also advisable to put a reporting process place so that staff can declare when they’ve been approached by bad actor recruiters.
With respect to the controls that should be put in place on devices, laptop USB ports should be locked down so that only approved external drives can be used with them. Mandating the use of only equipment supplied by the organisation is of course another option although in today’s BYOD world this is fast becoming an antiquated approach. Instead, software should be downloaded to control access to applications and systems on the network and data encrypted as standard across the information estate so that, even if it does fall into the wrong hands, it remains indecipherable.
Back to basics
Implementing these types of control should be common practice, but the reality is that such mainstays have fallen out of favour. The Apricorn survey also found that encryption is on the decline, for example, with only 12pc encrypting data on laptops, compared with 68pc in 2022, while 17pc encrypt data on desktop computers, down from 65pc in 2022. It’s a similar story for mobile phones, with 13pc encrypting all, versus 55% in 2022, USB sticks with 17pc encrypting these today, down from 54pc, and portable hard drives which fell to just 4pc from 57pc.
As the insider threat continues to rise and the application of cyber controls becomes more lax, the danger is that we will continue to see an uptick in both malicious and non-malicious insider breaches. The problem is that the user has been given too much leeway and there’s been too little action taken to enforce security policy and the result is a situation that organised criminal gangs will be quick to exploit unless organisations take back control.
