Over the past few years, cyber security has become a big concern for many organisations. With continual stories of data breaches leading to reputational damage, loss of customers and disciplinary action, organisations are more aware than ever of the consequences of not staying secure – but they’re not always aware of what they should be doing.

One of the biggest threats that organisations face is insider threats. These include the accidental loss of data and malicious actors who steal information or compromise systems. In many of these cases, the loss of data could have been mitigated – or prevented altogether – with effective penetration testing. However, too few organisations are aware of the benefits of regular penetration testing and are leaving themselves open to breaches.

Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.

Examples

  • Anthony Levandowski, a former engineer at Google’s parent company, Alphabet, is currently being sued for allegedly stealing 14,000 internal files. Levandowski, who was instrumental in developing the company’s self-driving car technology, resigned in January 2016 to form his own company, Otto, which was bought by Uber seven months later. Alphabet also accused Levandowski of receiving $250 million in shares from Uber the day after he left the company.
  • In August, Bupa admitted that one of its employees stole information relating to 108,000 customers. Bupa revealed that the data included names, dates of birth, nationalities and some contact and administrative information. It’s not yet known why the employee took the data, but common motives are financial gain (by selling the data to other criminals) and revenge (to disrupt business and cause reputational damage).
  • In April, Allegro MicroSystems filed a lawsuit against a former systems administrator who allegedly installed malware on the company’s network. The employee resigned from the company in January 2016, but is accused of returning to Allegro’s premises three weeks later to install a malware time bomb that would eventually cause Allegro a reported $100,000 in damages.
  • In November 2016, a Boeing employee emailed a spreadsheet containing sensitive information about 36,000 colleagues to their spouse. The document was sent to the spouse – who doesn’t work at Boeing – to help with a “formatting issue”, and contained employees’ full names, places of birth, employee IDs and, in hidden columns, Social Security numbers and dates of birth.

How can penetration testing help?

As these examples show, the motives and methods of insider threats are varied, which can make them hard to anticipate. After all, anyone and everyone in your company is a potential security vulnerability, and you can’t keep an eye on everyone. But organisations need to do something, because according to McAfee’s Grand Theft Data report, internal actors are responsible for more than 40% of serious data breaches.

To mitigate insider threats, you need to isolate two broad categories and plan accordingly.

The first threat is insider error. This is the result of employees or contractors being unaware of their security obligations. The Boeing incident is a typical example of this. The employee in question was unaware that they weren’t supposed to email information to someone outside the company, and they weren’t aware that the spreadsheet contained sensitive information.

The second threat is insider wrongdoing. This is potentially harder to mitigate, as it is caused by employees with legitimate access to the information or former employees whose access hasn’t been revoked.

Regular penetration testing can address both of these problems. The tests check for misconfiguration in both networks and web applications, such as faults in error handling and configuration management, that would allow employees to access and inadvertently leak information online.

The tests can also identify areas of information or other assets that are exposed to an unauthorised user who has network-level access to the organisation’s corporate IT environment.

CCS IT Solutions’ Team has been supporting businesses with IT services in Manchester and across the UK for over twenty years.  Our service focuses on providing secure, efficient and cost-effective IT solutions to support businesses operations.

If you would like to discuss this article further, how we can help to safeguard your business from potential threats or any issue relating to IT Support, please get in touch with our team today:

T:            0161 428 2088

E:            info@ccsitsolutions.com

W:          https://www.ccsitsolutions.com/