Read most security vendors' websites (yes, we know what we are) and you'll generally find something about the terrifying “Risk of Insider Threats.” Rogue employees are lurking around every corner. You try to hire good honest people, brimming with integrity, but still these evildoers slip through the net and before you know it they are trying to take you down. They don't care that you have a family to feed, that you put your life and soul into creating a flourishing business. Maybe you should just go self-employed. Switch off the internet and go back to pen and paper. Reduce the risk completely and become a cave-dwelling hermit. Actually, can you come back out of the cave and turn the internet back on for a moment please? Thanks.

I hope the mild exaggeration in the above paragraph was apparent. And if that's the reality in your business perhaps it's time to rethink your hiring strategy (and maybe go back to the cave after all, it was nice in there right?). Most of your employees really like you having a business, they don't want to ruin it, and they aren't going to do something purposely malicious. There is a BUT coming, though. Actually, there are two, because reality is a harsh mistress.

BUT #1... Insider threats are real.

I'm sorry, I'm being That Vendor. We haven't invented this as an industry, I promise. It does only take one person to cause a lot of potential damage – take the recent Sage data breach as an example. Hundreds of detailed financial customer records accessed by an unauthorised* employee. A the time of writing this, the Sage investigation is ongoing - an arrest has been made, and a lot of Sage's customers have received a notification that their details may have been on the list. Like I said, it just takes one.

*that isn't a typo btw, I'm from that tiny island over the pond, we just don't do zeds with the same level of enthusiasm that Americans do #sorrynotsorry

BUT #2... Unwitting insider threats are a much greater concern.

This isn't a disgruntled employee, it's someone who can easily open up your business to the evils of the outside world. They clicked on a dodgy Facebook link from a friend, they opened up an "invoice" which turned out to be hiding malicious code, they chomped down on the hook of a phishing email and before you can say Wicked Tuna, there's a keylogger or worse sitting on their PC. Their user credentials get captured and delivered off to someone truly malicious outside of your organisation. Your employee didn't mean to cause a problem, they just didn't know any better.  And they'd possibly do the same thing all over again tomorrow.

Understanding the risk posed by your employees, the users of your systems, the people who access critical data that's key to your business is so much bigger than worrying about the occasional rogue employee.

Bonus BUT (because marketing)... Compromised user credentials behave just like insider threats

Protecting assets is an important part of any security program, no doubt about it, but a huge number of data breaches are caused by compromised user credentials (the Verizon Data Breach Investigations Report has this as the top method of attackers breaching a network every year from 2013). These are user accounts that look, feel and smell like the real deal because That's Exactly What They Are. They just got into the wrong hands. And if you fall into the 60% of organisations who have no way to detect compromised credentials, you won't be able to tell the difference between a bona fide user and an attacker using a compromised account. On the plus side, they won't be hogging the drinks table at your summer party, but that's really the smallest of wins.

Call to action: Don't be a hermit!

If you're thinking seriously about that cave option again, it's OK, you don't need to (unless cave dwelling is actually your thing, but let's assume otherwise because it's a little niche). Take stock, think about where your weak spots are. Would your employees benefit from some up-to-date security awareness training? How robust are those incident response processes?  When did you last health-check your overall security program? Do you have the capabilities to quickly spot an attacker who's got their grubby mitts on the keys to your metaphorical castle (or cave, obvs)?

If the answers to those questions aren't clear, we can help you get a plan together. You can gain the insight you need to be able to protect your business. Visit our web page on compromised credentials and learn more about how we can help you achieve this.

Sam Humphries