- Email: [email protected]
From wooden shoe to click of a button: the risk of disgruntled employees
FEATURE might the help in decryption and provide further details about the attack. Some professionals recommend the quarantining of any computers known to be infected, but it is safer to shut down all of them to keep the ransomware from spreading. Second, block remote desktop protocol (RDP) at the network level. Consider blocking all email attachments until the origin of the attack is fully understood. Third, assess the damage and determine the point of entry. This is where your back-ups come into play. Depending on which systems were infected, this is when the organisation will need to revert to its back-up plan. Pulling an entire server offline may take more planning. The key here is to have a reliable and well-tested back-up to get the business up and running quickly with minimal repercussions.
Lacking back-ups If an organisation is struck by a ransomware attack but it does not have a backup system in place, it will need to take a slightly different approach. The IT team will need to assess the value of the data that has been encrypted and make a decision as to whether it is worth hiring a security or ransomware expert to try and recover the data. If the answer is no, they might be tempted to pay the ransom, which is not a good idea! Even if the ransom was to be paid, there is no guarantee of receiving the decryption keys, and thieves often increase
the ransom the longer they have to wait for it to be paid. Companies that have fallen victim to ransomware and lost data due to a lack of appropriate security measures and/or back-up, must re-assess their overall data protection policies and take the relevant prevention measures. Ransom attacks are the perfect crime because the cyber criminals often ‘win,’ and the anonymity makes it nearly impossible for authorities to track down the perpetrators, so instead of being intercepted and stopped, they move on in search of more potential victims. One thing we know for certain is that the attacks will continue and will evolve as companies learn to combat them. Businesses can no longer afford to sit back and hope that they will be the lucky ones to avoid attack. Data is a highly sought-after asset and its safeguarding must be of the utmost importance to businesses that wish to succeed in an increasingly threatening cyber landscape.
About the author Florian Malecki is international product marketing senior director at StorageCraft. He drives the development of the vendor’s data protection and storage solutions. Prior to joining StorageCraft, Malecki worked in senior roles at SonicWall, Dell, Aventail, ClearSwift, Omgeo, Lucent Technologies and Air Products. He earned a master’s degree in business, marketing and technology from the Ecole Supérieure Des
Affaires et Des Technologies, France.
References 1. Morgan, Steve. ‘Cybercrime Damages $6 Trillion By 2021’. Cyber security Ventures, 16 Oct 2017. Accessed Feb 2019. https://cyber securityventures. com/hackerpocalypse-cybercrimereport-2016/. 2. ‘Ransomware, Who’s at Risk?’. StorageCraft, 22 Feb 2018. Accessed Feb 2019. https://blog.storagecraft. com/ransomware-whos-risk/. 3. ‘Cyber Security: Export Strategy’. Department for International Trade. Accessed Feb 2019. https://assets. publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/693989/ CCS151_CCS0118810124-1_Cyber_ Security_Export_Strategy_Brochure_ Web_Accessible.pdf. 4. ‘2018 Threats Predictions’. McAfee Labs, Nov 2017. Accessed Feb 2019. www.mcafee.com/enterprise/en-us/ assets/infographics/infographic-threatspredictions-2018.pdf. 5. ‘Paradigm Shifts’. Trend Micro. Accessed Feb 2019. https://documents. trendmicro.com/assets/rpt/rpt-paradigm-shifts.pdf. 6. ‘Business insurance: small businesses fail to plan for the unexpected’. Biba. Accessed Feb 2019. www.biba.org. uk/insurance-guides/small-business/ business-insurance/.
From wooden shoe to click of a button: the risk of disgruntled employees Sjaak Schouteren, JLT Specialty As a society, we have greatly profited from the digitisation of our processes, the rise of the Internet and the Internet 10
Computer Fraud & Security
of Things (IoT). As companies, we are able to connect systems and data so that we can work efficiently and provide customers with the best service at the lowest cost. These benefits also
Sjaak Schouteren
bring a great amount of dependency on these systems and have subsequently opened a Pandora’s Box of very real and ever-increasing cyber- and technology-related exposures.
March 2019
FEATURE These cyber risks are global in nature, acting without regard to geography, sector or business size. The non-physical risks associated with the use of data and reliance on technology – a more accurate description of what is generally known as ‘cyber’ risk – are critical to the success of most, if not all companies. As recent events continue to show, even the most sophisticated companies around the world are not immune to technology failures and cyber attacks, which can cause significant financial and reputational impact.
The human element Cyber risks can be divided into three types – system failure, crime and human failure – with human failure likely to influence the chance and impact of the other two. When we read about cyber incidents in the press, journalists often highlight the foreign criminal’s hacking ability and the security failures of the victim. In reality, these incidents are usually caused by an intentional action or mistake by someone inside the company. A special category that is getting more and more attention is that of the disgruntled employee. In the past, literature talked about disgruntled French employees putting their wooden shoes (sabots) in machines to disrupt or ‘sabotage’ them. But now, disgruntled employees can disrupt your whole company, your stakeholders, employees and clients with the simple click of a button. In the ‘2016 Cyber Security Intelligence Index’, IBM stated that 60% of all attackers are ‘insiders’ who either act with malicious intent or serve as inadvertent actors.1 More than twothirds of these incidents were attributable to malicious insiders. Furthermore, Verizon’s ‘2018 Data Breach Investigations Report’ found that 40% of the data breaches it analysed were perpetrated by internal operatives.2 In recent years, we have seen examples of employees facilitating sabotage and fraud for the benefit of a new employer March 2019
or to satiate their need for recognition. The latter may be the least impactful, as they have a different motivation that’s less insidious. Sometimes incidents can involve employees having a disagreement with their manager over perceived security issues. When employees feel that their attempts to address a risk exposure and suggestions to improve security are not recognised, they seek other ways to make their arguments heard. For example, they could crack dozens of passwords to prove a point about the organisation’s security system. This incident could then lead to the employee reporting their findings to the manager or using the passwords to gain access to other systems. A more common and impactful employee-based cyber risk is fraud. Typically, the employee will engage with an outside party who provides them with the means or incentive to carry out an attack. Predominantly it is the second option. The employee will then sell his log-in details or some critical security details and then take a step back to give himself plausible deniability. This can include him knowingly being ‘phished’. We have seen some significant losses in this instance, such as a bank losing millions after an employee sold log-in details and the SWIFT keys (codes for SWIFT money transfers) following redundancy.
“Sleeper attacks, potentially involving the IT department, are very difficult to detect. The fraudster may well be the person asked to sweep the system” The other type of insider fraud features direct involvement from employees. This initially tends to start in the IT department and then potentially involves collaboration with employees from other departments (eg, payment and IT). It will almost always result from the embedding of code into their system, which is then activated later. However,
this movie-like concept of a USB stick being plugged in and immediately draining funds from the company is extremely unlikely. Sleeper attacks, potentially involving the IT department, are very difficult to detect. The fraudster may well be the person asked to sweep the system, or the person working with the employee responsible for reconciling the accounts, making it easy for someone to cover his tracks. A very old example of this was the famous Superman III fraud in the US. This incident involved an amount between one cent and $1 in interest being deducted from every account during the monthly interest payments to the bank’s customer accounts. For reference, if the bank had one million accounts, this would mean a minimum of $10,000 being deducted every month. This scam is well known and actively detected by major banks, but smaller entities can still fall victim to it. Other fraudulent methods include blatant changes to payment details and data harvesting.
Breaches and intellectual property In June 2018, US technology company Tesla revealed that a disgruntled employee hacked its computer systems and stole company secrets, passing them on to third parties. Tesla subsequently sued the former employee, although the suspect denied the allegations and claimed he was just a whistle-blower. Separately, a former programmer at security firm NSCO was caught selling code he had allegedly stolen from his former employer; and a former Apple employee was accused of downloading and stealing sensitive content regarding driverless car technology. Incidents involving an employee stealing personal data, on customers or employees, from an employer are not uncommon. Last year, healthcare provider BUPA warned customers that a rogue employee had stolen personal data with the intent Computer Fraud & Security
11
FEATURE
Fig 1: Internal actors involved in data breaches, ranked by number of breaches investigated. Source: Verizon DBIR. 1: Internal actors involved in data breaches, ranked by number of breaches investigated. Source: Verizon DBIR.
to sell it to criminals. Similarly, in the US, three employees at the Department of Homeland Security were accused of stealing a computer system that contained data on over 230,000 employees. This fact has not escaped regulators, who have instigated criminal proceedings against employees that steal personal data, which can include taking client contact details with them when moving to a new firm. However, under the EU’s General Data Protection Regulation (GDPR), employers would be required to notify the regulator of any breach involving personal data. In 2017, victims of a data breach successfully sued UK supermarket group Morrison’s after a disgruntled employee stole and then published personal data belonging to 5,500 fellow employees. The case, the first data breach class action in the UK, saw Morrison’s held vicariously liable for the actions of the former employee, despite having adequate controls in place to protect personal data.
Impact assessment and prevention The most dangerous thing about disgruntled insiders is that they are insiders with 12
Computer Fraud & Security
authorised access to your systems. They can be left responsible for the systems and procedures created to prevent the very incidents they are potentially instigating. Furthermore, a cybercrime is still considered less impactful than other crimes by law. Instead of getting a minimum of five years’ jail time for armed robbery under UK law, stealing a computer would only land you in prison for two years, making it a more appealing form of theft for both internal and external criminals. In order to face all cyber challenges head-on, companies must start by carrying out a risk audit and thoroughly understanding their cyber capabilities
Fig 2: IBM research found that 60% of ‘attackers’ are insiders. Source: ‘2016 Cyber Security Intelligence Index’, IBM.
and vulnerabilities. They need to look at where the most exposed areas of the business are and where the metaphorical ‘crown jewels’ are stored. It is impossible for companies to manage their cyber risks and plan for the worst if their most vulnerable areas are unknown. In addition, steps need to be taken to ensure that data security is at the heart of the business’s strategic planning. The responsibility for and awareness of these cyber issues must be shared throughout the company, including marketing, HR, the legal department and the finance department. Delegating responsibility for cyber risks solely to the chief information security officer (CISO) will not guarantee your company’s safety. Quite the opposite, as the issue must have the attention of everyone from the board to the rank-and-file staff members to avoid inevitable weak links being exploited.
Biggest impact Looking specifically at the insider threat, it is very important to know which employees could potentially cause the most damage. No company can ever be 100% secure, so companies should focus with great vigilance on where the impact will be the biggest. In this respect, one should look at the interaction between IT admin staff, top executives, key vendors and at-risk employees. Insurers would typically ask for basic security protocols to be observed. This would specifically include looking at the requirement for all exposed employees to take at least two weeks continuous leave every year with no access to the system, to give someone else the opportunity to do their job and possibly spot any irregularities. There needs to be regular rotation of staff members working with cash transactions, including regional and branch managers. Audits of critical branches and infrastructure need to be implemented without warning. These external audits need to be carried out by a recognised auditor using some form of internal security apparatus, which March 2019
FEATURE can also be used during internal audits. This auditor cannot have access rights to payment systems or customer data. In addition, critical employees should not stay in the same role for very long and when their position in the company changes, access rights should be amended accordingly. Similarly, whenever employees are terminated, resign or are made redundant, their access rights should be cancelled immediately. As an absolute basic precaution, companies should always look out for disgruntled employees. Happy employees tend not to steal, hack or sabotage your company. Any promotion process will have disappointed candidates, so paying added attention to post-process monitoring is always a good idea, as threat actors are typically people in middle management. In the same way, anyone who regularly applies for a promotion unsuccessfully should almost permanently be under surveillance as a possible risk. Another important sign to look out for is staff with alcohol, drug or gambling problems. Simple procedures such as blocking gambling websites can be highly effective to restrict this behaviour within the workplace. Any member of staff who spends an inordinate amount of time with one customer or a small group of customers should also immediately raise suspicions.
“Critical employees should not stay in the same role for very long and when their position in the company changes, access rights should be amended accordingly” Besides organisational measures, companies can also look at installing technical measures. Fortunately most employees are creatures of habit. They often perform the same tasks, go to work at the same time and interact with internal technology in the same manner. Data analytics and artificial intelligence can help organisations discover irregularities in the behaviour of individual employees, while simultaneously alerting them to systems being compromised. March 2019
Unauthorised access, much of which is committed by insiders, is a leading incident category. Source: IBM.
Seek assurance
About the author
To mitigate the risk of disgruntled employees, a company must understand the variety of scenarios that could arise in order to take the appropriate measures. However, history has shown that no company will ever be 100% safe. Therefore it is critical for companies approaching cyber risk and insurability to understand their current cyber coverage position. Theft of intellectual property by an employee, for example, is very difficult to insure under a cyber insurance policy because the financial impact can be hard to quantify. However, cyber insurance can cover the defence costs and settlements when a data breach results in litigation from the loss of third party data, such as client data or intellectual property belonging to a customer or business partner. In the case of disgruntled employees, businesses also need to recognise the fine line between cyber and crime insurance. If companies were to look at their most likely internal scenarios, there should be elements of both insurance policies present to truly transfer this risk to their insurer. Having a clear picture of the interlocking elements of your cyber insurance coverage will give you a roadmap to plan for both retaining and transferring your cyber risk. This plan could involve expanding the boundaries of your existing insurance or lead you to purchase a new policy for more comprehensive cover.
Sjaak Schouteren is a partner in the European Cyber Team at JLT Specialty. After 14 years in the insurance world, he joined JLT in 2018 to lead business and client education across Europe and support the expansion of JLT Specialty’s cyber risk products from its Rotterdam office. He previously led the cyber team at Aon and worked as the business development manager for loss adjustment company Cunningham Lindsey, where he established its cyber team. Schouteren also became certified as a lead auditor for ISO-27001.
Resource • ‘Employees engage in revenge cyber attacks’. JLT Specialty, 7 Aug 2018. Accessed Feb 2019. www.jltspecialty.com/our-insights/ publications/cyber-decoder/employees-engage-in-revenge-cyber attacks.
References 1 ‘2016 Cyber Security Intelligence Index’. IBM X-Force Research. Accessed Feb 2019. www.ibm.com/ account/reg/us-en/signup?formid=mrsform-2988&S_PKG=ov47123&S_ TACT=000000NJ&&S_OFF_ CD=10000254. 2. ‘Data Breach Investigations Report‘. Verizon. Accessed Feb 2019. https:// enterprise.verizon.com/resources/ reports/dbir/. Computer Fraud & Security
13
Lacking back-ups If an organisation is struck by a ransomware attack but it does not have a backup system in place, it will need to take a slightly different approach. The IT team will need to assess the value of the data that has been encrypted and make a decision as to whether it is worth hiring a security or ransomware expert to try and recover the data. If the answer is no, they might be tempted to pay the ransom, which is not a good idea! Even if the ransom was to be paid, there is no guarantee of receiving the decryption keys, and thieves often increase
the ransom the longer they have to wait for it to be paid. Companies that have fallen victim to ransomware and lost data due to a lack of appropriate security measures and/or back-up, must re-assess their overall data protection policies and take the relevant prevention measures. Ransom attacks are the perfect crime because the cyber criminals often ‘win,’ and the anonymity makes it nearly impossible for authorities to track down the perpetrators, so instead of being intercepted and stopped, they move on in search of more potential victims. One thing we know for certain is that the attacks will continue and will evolve as companies learn to combat them. Businesses can no longer afford to sit back and hope that they will be the lucky ones to avoid attack. Data is a highly sought-after asset and its safeguarding must be of the utmost importance to businesses that wish to succeed in an increasingly threatening cyber landscape.
About the author Florian Malecki is international product marketing senior director at StorageCraft. He drives the development of the vendor’s data protection and storage solutions. Prior to joining StorageCraft, Malecki worked in senior roles at SonicWall, Dell, Aventail, ClearSwift, Omgeo, Lucent Technologies and Air Products. He earned a master’s degree in business, marketing and technology from the Ecole Supérieure Des
Affaires et Des Technologies, France.
References 1. Morgan, Steve. ‘Cybercrime Damages $6 Trillion By 2021’. Cyber security Ventures, 16 Oct 2017. Accessed Feb 2019. https://cyber securityventures. com/hackerpocalypse-cybercrimereport-2016/. 2. ‘Ransomware, Who’s at Risk?’. StorageCraft, 22 Feb 2018. Accessed Feb 2019. https://blog.storagecraft. com/ransomware-whos-risk/. 3. ‘Cyber Security: Export Strategy’. Department for International Trade. Accessed Feb 2019. https://assets. publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/693989/ CCS151_CCS0118810124-1_Cyber_ Security_Export_Strategy_Brochure_ Web_Accessible.pdf. 4. ‘2018 Threats Predictions’. McAfee Labs, Nov 2017. Accessed Feb 2019. www.mcafee.com/enterprise/en-us/ assets/infographics/infographic-threatspredictions-2018.pdf. 5. ‘Paradigm Shifts’. Trend Micro. Accessed Feb 2019. https://documents. trendmicro.com/assets/rpt/rpt-paradigm-shifts.pdf. 6. ‘Business insurance: small businesses fail to plan for the unexpected’. Biba. Accessed Feb 2019. www.biba.org. uk/insurance-guides/small-business/ business-insurance/.
From wooden shoe to click of a button: the risk of disgruntled employees Sjaak Schouteren, JLT Specialty As a society, we have greatly profited from the digitisation of our processes, the rise of the Internet and the Internet 10
Computer Fraud & Security
of Things (IoT). As companies, we are able to connect systems and data so that we can work efficiently and provide customers with the best service at the lowest cost. These benefits also
Sjaak Schouteren
bring a great amount of dependency on these systems and have subsequently opened a Pandora’s Box of very real and ever-increasing cyber- and technology-related exposures.
March 2019
FEATURE These cyber risks are global in nature, acting without regard to geography, sector or business size. The non-physical risks associated with the use of data and reliance on technology – a more accurate description of what is generally known as ‘cyber’ risk – are critical to the success of most, if not all companies. As recent events continue to show, even the most sophisticated companies around the world are not immune to technology failures and cyber attacks, which can cause significant financial and reputational impact.
The human element Cyber risks can be divided into three types – system failure, crime and human failure – with human failure likely to influence the chance and impact of the other two. When we read about cyber incidents in the press, journalists often highlight the foreign criminal’s hacking ability and the security failures of the victim. In reality, these incidents are usually caused by an intentional action or mistake by someone inside the company. A special category that is getting more and more attention is that of the disgruntled employee. In the past, literature talked about disgruntled French employees putting their wooden shoes (sabots) in machines to disrupt or ‘sabotage’ them. But now, disgruntled employees can disrupt your whole company, your stakeholders, employees and clients with the simple click of a button. In the ‘2016 Cyber Security Intelligence Index’, IBM stated that 60% of all attackers are ‘insiders’ who either act with malicious intent or serve as inadvertent actors.1 More than twothirds of these incidents were attributable to malicious insiders. Furthermore, Verizon’s ‘2018 Data Breach Investigations Report’ found that 40% of the data breaches it analysed were perpetrated by internal operatives.2 In recent years, we have seen examples of employees facilitating sabotage and fraud for the benefit of a new employer March 2019
or to satiate their need for recognition. The latter may be the least impactful, as they have a different motivation that’s less insidious. Sometimes incidents can involve employees having a disagreement with their manager over perceived security issues. When employees feel that their attempts to address a risk exposure and suggestions to improve security are not recognised, they seek other ways to make their arguments heard. For example, they could crack dozens of passwords to prove a point about the organisation’s security system. This incident could then lead to the employee reporting their findings to the manager or using the passwords to gain access to other systems. A more common and impactful employee-based cyber risk is fraud. Typically, the employee will engage with an outside party who provides them with the means or incentive to carry out an attack. Predominantly it is the second option. The employee will then sell his log-in details or some critical security details and then take a step back to give himself plausible deniability. This can include him knowingly being ‘phished’. We have seen some significant losses in this instance, such as a bank losing millions after an employee sold log-in details and the SWIFT keys (codes for SWIFT money transfers) following redundancy.
“Sleeper attacks, potentially involving the IT department, are very difficult to detect. The fraudster may well be the person asked to sweep the system” The other type of insider fraud features direct involvement from employees. This initially tends to start in the IT department and then potentially involves collaboration with employees from other departments (eg, payment and IT). It will almost always result from the embedding of code into their system, which is then activated later. However,
this movie-like concept of a USB stick being plugged in and immediately draining funds from the company is extremely unlikely. Sleeper attacks, potentially involving the IT department, are very difficult to detect. The fraudster may well be the person asked to sweep the system, or the person working with the employee responsible for reconciling the accounts, making it easy for someone to cover his tracks. A very old example of this was the famous Superman III fraud in the US. This incident involved an amount between one cent and $1 in interest being deducted from every account during the monthly interest payments to the bank’s customer accounts. For reference, if the bank had one million accounts, this would mean a minimum of $10,000 being deducted every month. This scam is well known and actively detected by major banks, but smaller entities can still fall victim to it. Other fraudulent methods include blatant changes to payment details and data harvesting.
Breaches and intellectual property In June 2018, US technology company Tesla revealed that a disgruntled employee hacked its computer systems and stole company secrets, passing them on to third parties. Tesla subsequently sued the former employee, although the suspect denied the allegations and claimed he was just a whistle-blower. Separately, a former programmer at security firm NSCO was caught selling code he had allegedly stolen from his former employer; and a former Apple employee was accused of downloading and stealing sensitive content regarding driverless car technology. Incidents involving an employee stealing personal data, on customers or employees, from an employer are not uncommon. Last year, healthcare provider BUPA warned customers that a rogue employee had stolen personal data with the intent Computer Fraud & Security
11
FEATURE
Fig 1: Internal actors involved in data breaches, ranked by number of breaches investigated. Source: Verizon DBIR. 1: Internal actors involved in data breaches, ranked by number of breaches investigated. Source: Verizon DBIR.
to sell it to criminals. Similarly, in the US, three employees at the Department of Homeland Security were accused of stealing a computer system that contained data on over 230,000 employees. This fact has not escaped regulators, who have instigated criminal proceedings against employees that steal personal data, which can include taking client contact details with them when moving to a new firm. However, under the EU’s General Data Protection Regulation (GDPR), employers would be required to notify the regulator of any breach involving personal data. In 2017, victims of a data breach successfully sued UK supermarket group Morrison’s after a disgruntled employee stole and then published personal data belonging to 5,500 fellow employees. The case, the first data breach class action in the UK, saw Morrison’s held vicariously liable for the actions of the former employee, despite having adequate controls in place to protect personal data.
Impact assessment and prevention The most dangerous thing about disgruntled insiders is that they are insiders with 12
Computer Fraud & Security
authorised access to your systems. They can be left responsible for the systems and procedures created to prevent the very incidents they are potentially instigating. Furthermore, a cybercrime is still considered less impactful than other crimes by law. Instead of getting a minimum of five years’ jail time for armed robbery under UK law, stealing a computer would only land you in prison for two years, making it a more appealing form of theft for both internal and external criminals. In order to face all cyber challenges head-on, companies must start by carrying out a risk audit and thoroughly understanding their cyber capabilities
Fig 2: IBM research found that 60% of ‘attackers’ are insiders. Source: ‘2016 Cyber Security Intelligence Index’, IBM.
and vulnerabilities. They need to look at where the most exposed areas of the business are and where the metaphorical ‘crown jewels’ are stored. It is impossible for companies to manage their cyber risks and plan for the worst if their most vulnerable areas are unknown. In addition, steps need to be taken to ensure that data security is at the heart of the business’s strategic planning. The responsibility for and awareness of these cyber issues must be shared throughout the company, including marketing, HR, the legal department and the finance department. Delegating responsibility for cyber risks solely to the chief information security officer (CISO) will not guarantee your company’s safety. Quite the opposite, as the issue must have the attention of everyone from the board to the rank-and-file staff members to avoid inevitable weak links being exploited.
Biggest impact Looking specifically at the insider threat, it is very important to know which employees could potentially cause the most damage. No company can ever be 100% secure, so companies should focus with great vigilance on where the impact will be the biggest. In this respect, one should look at the interaction between IT admin staff, top executives, key vendors and at-risk employees. Insurers would typically ask for basic security protocols to be observed. This would specifically include looking at the requirement for all exposed employees to take at least two weeks continuous leave every year with no access to the system, to give someone else the opportunity to do their job and possibly spot any irregularities. There needs to be regular rotation of staff members working with cash transactions, including regional and branch managers. Audits of critical branches and infrastructure need to be implemented without warning. These external audits need to be carried out by a recognised auditor using some form of internal security apparatus, which March 2019
FEATURE can also be used during internal audits. This auditor cannot have access rights to payment systems or customer data. In addition, critical employees should not stay in the same role for very long and when their position in the company changes, access rights should be amended accordingly. Similarly, whenever employees are terminated, resign or are made redundant, their access rights should be cancelled immediately. As an absolute basic precaution, companies should always look out for disgruntled employees. Happy employees tend not to steal, hack or sabotage your company. Any promotion process will have disappointed candidates, so paying added attention to post-process monitoring is always a good idea, as threat actors are typically people in middle management. In the same way, anyone who regularly applies for a promotion unsuccessfully should almost permanently be under surveillance as a possible risk. Another important sign to look out for is staff with alcohol, drug or gambling problems. Simple procedures such as blocking gambling websites can be highly effective to restrict this behaviour within the workplace. Any member of staff who spends an inordinate amount of time with one customer or a small group of customers should also immediately raise suspicions.
“Critical employees should not stay in the same role for very long and when their position in the company changes, access rights should be amended accordingly” Besides organisational measures, companies can also look at installing technical measures. Fortunately most employees are creatures of habit. They often perform the same tasks, go to work at the same time and interact with internal technology in the same manner. Data analytics and artificial intelligence can help organisations discover irregularities in the behaviour of individual employees, while simultaneously alerting them to systems being compromised. March 2019
Unauthorised access, much of which is committed by insiders, is a leading incident category. Source: IBM.
Seek assurance
About the author
To mitigate the risk of disgruntled employees, a company must understand the variety of scenarios that could arise in order to take the appropriate measures. However, history has shown that no company will ever be 100% safe. Therefore it is critical for companies approaching cyber risk and insurability to understand their current cyber coverage position. Theft of intellectual property by an employee, for example, is very difficult to insure under a cyber insurance policy because the financial impact can be hard to quantify. However, cyber insurance can cover the defence costs and settlements when a data breach results in litigation from the loss of third party data, such as client data or intellectual property belonging to a customer or business partner. In the case of disgruntled employees, businesses also need to recognise the fine line between cyber and crime insurance. If companies were to look at their most likely internal scenarios, there should be elements of both insurance policies present to truly transfer this risk to their insurer. Having a clear picture of the interlocking elements of your cyber insurance coverage will give you a roadmap to plan for both retaining and transferring your cyber risk. This plan could involve expanding the boundaries of your existing insurance or lead you to purchase a new policy for more comprehensive cover.
Sjaak Schouteren is a partner in the European Cyber Team at JLT Specialty. After 14 years in the insurance world, he joined JLT in 2018 to lead business and client education across Europe and support the expansion of JLT Specialty’s cyber risk products from its Rotterdam office. He previously led the cyber team at Aon and worked as the business development manager for loss adjustment company Cunningham Lindsey, where he established its cyber team. Schouteren also became certified as a lead auditor for ISO-27001.
Resource • ‘Employees engage in revenge cyber attacks’. JLT Specialty, 7 Aug 2018. Accessed Feb 2019. www.jltspecialty.com/our-insights/ publications/cyber-decoder/employees-engage-in-revenge-cyber attacks.
References 1 ‘2016 Cyber Security Intelligence Index’. IBM X-Force Research. Accessed Feb 2019. www.ibm.com/ account/reg/us-en/signup?formid=mrsform-2988&S_PKG=ov47123&S_ TACT=000000NJ&&S_OFF_ CD=10000254. 2. ‘Data Breach Investigations Report‘. Verizon. Accessed Feb 2019. https:// enterprise.verizon.com/resources/ reports/dbir/. Computer Fraud & Security
13