Amar Singh, CEO and Founder of Cyber Management Alliance explains how you can detect insider threats
Year on year statistics show that cybersecurity incidents, particularly insider threats; continue to rise. Recent statistics show organisations report that 42% of IT security incidents occur as a result of their employee’s actions and 74% originate from their extended enterprise. Whether it be a startup or a huge corporation, most businesses will agree that preventing IT sabotage from insider threats is a huge challenge. Thought leader, Amar Singh who is also CEO and founder of Cyber Management Alliance, which offers specialised cybersecurity training to business executives and senior management, is somewhat of an expert when it comes to ‘insider threats’ spoke to us about the characteristics of insider threat behaviour, and what efforts should be made to implement systems and processes to inhibit the effects of insider threats?
Why do you think insider threats continue to rise and what can forward-thinking companies do to minimise the risk?
Part of the reason that insider threats are rising is the proliferation and availability of hacking tools, if I may. Today, you, me, anybody who knows how to use a smartphone can buy a hacking tool. Furthermore, you or me or anyone, can buy a phone that is fully ready to hack that has all the necessary tools installed on the phone. So, I think the primary differential, between the past several years and moving forward, is the fact that more and more of us are connected, more and more of us are aware of the fact that hacking is possible, and historically, the human emotion hasn’t changed; the human emotion of revenge of disgruntled employees, the human emotion of discontent and unhappiness.
The only thing that is changing is the availability and the method of expression of those emotions. So, that is understandable, and you know, not something that people want to hear, but as these tools and services become even more accessible globally, it is far easier for a potential employee to express his or her negative emotions with work using the internet, rather than simply just being unhappy.
Most businesses either directly operate or outsource to a contact centre, what are the risks of this and in your opinion, are contact centres the weakest point of entry?
Most organisations rely on third parties for outsourcing non-core activities, and IT and customer service are non-core activities, so it is totally understandable and 100% a significant risk to an organisation. Contact centres, third-party outsourcers, they are outsourced the activity, but they are not outsourcing the risk – and this is the problem. There’s an assumption that the contact centre or the third party will look after the client data the same way that the business looks after the client data and that’s a fallacy. The business must be responsible for its own protection mechanisms and not consider the fact that they have outsourced risk. You cannot outsource accountability, you have a responsibility for protecting confidential information, personal information relating to GDPR.
What areas of business should a CIO focus on when it comes to protecting data?
The fundamental question what area they should focus on, the CIO and the general CEO and Executive layer must stop focusing on protection and security. They need to stop focusing on protection alone. What I mean by this is, the traditional human assumption that if I locked the door, I am protected, does not necessarily work in real life, but definitely does not work in cyberspace.
THE CONCEPT OF 100% PROTECTION IS A FALLACY AND THE HUMAN MIND – WHETHER IT’S THE CIO, CEO, CSO – THEY NEED TO GET OUT OF THAT THOUGHT PROCESS THAT THEY HAVE INVESTED SO MUCH IN PROTECTION TECHNOLOGY AND NOW THEY SHOULD NEVER BE HACKED.
That is a fundamental reason actually, why companies are being hacked – it’s because they are making an assumption that now they have bought x product, that will protect us, we do not need to do anything else. And it requires a slight change of thought process, which is, you know, are we prepared? The CIO, CEO and CSO should ask themselves, is our business prepared to respond to a cyber-attack? It’s a very simple question but it changes the paradigm. The paradigm right now is 100% protection. We are going to build a large castle wall, and nobody will be able to get in! That paradigm has to change to detection. What I mean by that is, they have to assume they will be compromised, that they are compromised – how do they respond, how do they detect an attack and respond in time.
And what would be your suggestions of how they should detect that before it actually happens?
THE WHOLE CONCEPT OF DETECTION AND RESPONSE IS ALSO A CULTURE CHANGE, SO THERE NEEDS TO BE A CULTURE CHANGE.
It needs to be led from the top. For example, it’s not just business continuity planning because the business may assume, oh we have business continuity planning. Yes, you may have business continuity planning, but the threat of cyber is 100 times more dynamic than a regular business continuity event. So, for a culture of detection, for a culture of preparedness as in any cultural requirement, the culture has to come from the top. The CEO and C-Level Executives must acknowledge that the paradigm is not about protection, the new paradigm is about being prepared to recover our business from a cyber-attack.
Do you think GDPR complicates or magnifies this risk?
GDPR to me is an obligation. For an obligation, it’s something that has to be, again a cultural issue. The obligation to look after a family doesn’t stop after everyone turns twenty! So, GDPR hopefully is going to force organisations to focus on preparedness. My issue with GDPR is the ‘P’ because it’s about protection, but actually, it’s not just about protection. GDPR should encourage organisations to focus on how prepared are they to swiftly detect the signs of an attack so that it does not become a breach.
Do you think CIOs and CTOs need to take a closer look at how internal workers hold and share information?
The CIOs, CTOs, CISOs should ask who has access to what in our organisation? It’s all about privileges, access – if a cyber-criminal does not have access to something, he or she can minimise the risk. The reason cyber-criminals succeed is that they manage to gain access. If you can deny access, they’re not going to be able to succeed.
Employee negligence remains the number one cause of most insider security events. In light of this, why do you think it’s important that CIOs invest in training modules and consistent IT updates to protect their companies from insider incidents?
I think there are two issues here. One is CIOs need to stop relying on boring induction training and boring video presentations. Nobody wants them. Full stop. CIOs need to take employees on a journey and identify key employees and get them face to face training. As long as we are all humans, face to face training has significantly more impact on humans, than boring video presentations. Boring cartoons doesn’t work, otherwise, all the attacks would have stopped. The other thing is CIOs need to understand you can’t just blame the human! You have to empower the human, you have to have the technology that hugs the human in awareness. Once they are aware, what are you going to do? You need to constantly up the game.
Would you say those were your top tips for detection?
Executives need to take the lead. They need to train themselves around incident planning. We call it cyber incident planning and response. Executives need to take the lead. Now, I know I’m not selling anything here but one of the most highly-acclaimed workshops that we do is with Senior Executives – CEOs, CFOs, CIOs – around incident planning and response, around multiple sectors, you know, housing, fast-moving consumer goods, etc. And it has to start from the top.
Executives need to ask are they breach-ready. Not only are they GDPR-ready, but are they data breach-ready; and that goes back to what we were discussing earlier the planning and response. Maybe a better question to ask is, are they prepared. Maybe if you start with that question in the first instance rather than are they protected, but are they prepared to respond to a cyber-attack, to a cyber breach. And that is a fundamental position they should start from today, not are we protected.