Managing internal cyber threats

What your organisation needs to know

1. Introducing internal cyber threats

What are cyber threats?

27 : 74 : 95The data

: 70

Money

Operationalefficiency

Strategic

information

Morale

People

Machinery

Personaldata

Reputation+

What gets lost?

What goes wrong?

Letting people in

Letting assets out

How does it happen?

Accidental• Leaking information• Social engineering• Losing objects

Deliberate• IT sabotage• Fraud and theft of money• IP theft

Why do things go wrong?

o External threatso Lack of knowledgeo Hard-to-use systemso Pressure of work o Egoism and “Munchhausen syndrome”o Social pressures o Carelessnesso Career focuso Maliciousness and greed Increasing employee fault

Greed is most common motive

05

101520253035404550

Motive

Financial gainIdeologyLoyalty to friendsDesire for recognitionRevenge

CPNI

Insider attack: greed

o Insiders at insurance company Aviva sold details of people who had car accidents to personal injury claims companies

o This was the second publicised incident in 2 yearso Bad press will have harmed the brand and its

reputation for trustworthiness

Internal risk: revenge attack

o Morrisons staff at risk from fraudsters after bank account details were stolen and published online

o Information about 100,000 employees were posted on the internet by a malicious insider with access to the pay roll data

o This resulted in considerable employee anger and reduced morale

o Morrisons staff at risk from fraudsters after bank account details were stolen and published online

o Information about 100,000 employees were posted on the internet by a malicious insider with access to the pay roll data

o This resulted in considerable employee anger and reduced morale

3rd party risk

o US retailer Target were hacked via a suppliero The direct cost of the hack was $250 million o In addition, reputational damage meant that

revenues were $2.5 billion lower that quarter

Process risk

o Ubiquity networks lost $47 million in a simple invoice fraud

o The problem: internal processes combined with employee awareness

2. Helping people keep safe

Cornerstones of internal security

Assets

Knowledge Ability

Awareness Attitude

Technology

People and processes

Knowledge

o Training and reference materialo How to use company security systemso How to behave to keep personally safeo What to do in a crisis

Ability

o Design of user centred design of security systemso Intuitive to useo Simple to remembero Minimal effect on ability to do a job efficiently

Awareness

o Programme to generate awareness of the presence and changing nature of cyber risko Constant reminders o Reminders at the point of risk

Attitude

o Cultural change programme to “socialise” cyber safety into an organisation

3. Looking out for trouble

Recognising the threat

o Poor work attitudeo Signs of being stressed o Exploitable/vulnerable lifestyle o Exploitable work profile o Recent negative life events

Source: CPNI

Typical behaviours

o Unusual copying activity o Unusual IT activity o Unauthorised handling of sensitive material o Security violations

What makes it worse…o People

o Poor security cultureo Lack of risk awareness at senior levelo Poor management practice

o Processo Lack of role-based security assessmento Lack of pre-employment vettingo Poor communication between business areas

o Technologyo Inadequate auditing and monitoringo Lack of protective controls

4. Managing the risk

Technology

ProcessesPeople

Assets at risk

often not covered sufficiently by IT security

Where the requirement is

1. Identify appetite for cyber risk 2. Review cyber security culture 3. Identify main internal threats 4. Develop usable policies and processes5. Deliver engaging training6. Ensure constant awareness 7. Measure behaviour

Working with IT security

Holistic approach needed

Ensuringusable systems

Persuasive communications

Tools to manage threats

Understanding cyber threats

Jeremy Swinfen Green

For more information:Contact Jeremy Swinfen Green

jeremy@cyber4HR.com07855 341 589

or visit cyber4HR.com

Appendix

Threats, risks and assets

o An asset is something we value - data, money, people or reputation

the thing we are trying to protecto A threat is something or someone that can damage an asset –

it could be a person, an Act of God or a technical failurewhat we are trying to protect against

o A vulnerability is a something that makes our asset vulnerable to a threat

a weakness in what we are trying to protecto A risk is the effect that a threat could have on an asset

the intersection of asset, threat and vulnerability