European Businesses Face a Threat From Within

How is Europe's business community’s reacting to the 'threat from within'?

From Target to Korea Credit Bureau to Morrisons, recent months have seen data breaches that have exposed thousands, if not millions, of private records. While these incidents do vary in terms of scale and impact, they all share one commonality – businesses are struggling to defend their resources from those already legitimately within the perimeter. Though ‘the threat from within’ has long been a security consideration, we carried out some research to gauge the business community’s reaction to this worrying trend.

The March data breach at Morrisons, the UKs fourth largest supermarket group, is a good place to start, as it is the most classic example of the insider threat in effect. Here, the sensitive payroll details of around 100,000 staff were surreptitiously stolen by a disgruntled employee, and the company only found out the theft had taken place when it was alerted by a third party (a local newspaper). Given how unsophisticated this attack was, it should come as little surprise that our research – recently conducted with analyst firm Ovum into how European IT decision makers are tackling insider threats – revealed a meagre 6% of UK business feel safe from this sort of compromise. Germany fared marginally better at 9%, and only 11% in France feel safe.

While these numbers seem unsettlingly, they are indicative of the complexity involved in defending resources from an insider-led data breach. While 50% of all respondents said everyday users posed the biggest risk – insider threats can come from a variety of sources, including third party contractors with legitimate access, IT service providers, or even trusted business partners. Close to half of the research respondents felt that insider threats are more difficult to detect today than they were last year - the highest levels of concern were expressed by the French at 53%, the Germans at 47% and the UK had the lowest response rate at 38%.

When we look closely at the type of users that are causing concern to enterprises, an essential point to note is that 42% of UK respondents, versus 34% of their German counterparts, acknowledge that it is ‘privileged users’ that pose the biggest risk to data security from an insider threat standpoint. Every organisation has these types of users who have powerful, privileged, network access rights – often assuming titles like root users, system or network administrators. Although many assume that privileged users are senior executives – like the managing director or head of finance – privileged users are to be found elsewhere in the business, at the IT administrator level. While their presence is essential, it is how these insiders are controlled and secured that is often the weak link in the data security framework. A useful reference point here is that Edward Snowden was a privileged user – as we know, he used his privileged user status to walk away with a horde of information whose depths we are still discovering.

It’s important to recognise that the insider threat does not only involve insiders who choose to abuse their positions to steal data.  There are also cyber attacks designed specifically to hijack legitimate employee access credentials in order to infiltrate systems and steal data using those stolen credentials. These types of ‘Advanced Persistent Threats’ (APTs) can lie undiscovered on networks for long periods of time. It’s worthwhile to note that the hackers responsible for the Target breach gained access to point of sale terminals, as well as back end repositories that had detailed customer information, by compromising the account of an authorised person in the supply-chain. While the prospect of managing this multi-faceted risk may seem daunting on paper, it appears European businesses are taking steps to defend their operations from this type of attack. Indeed, 30% of European businesses surveyed highlighted APTs as a primary driver for ramping-up data breach defences. By country, Germany feels most vulnerable to an insider attack at 33%, while France and the UK both returned figures of 23% and 22% respectively.

In terms of  allocating spend to address insider threats, an interesting statistic to note is that 69% of German businesses are likely to increase their IT security spend for the year ahead. Here, it’s highly probable that the Vodafone Germany data breach in late 2013, where an attacker with insider knowledge stole the personal data of two million customers from a server - may have been an influential factor. Another contributory factor may also be continued sensitivity at national level around issues of surveillance and data privacy.

The research also highlighted that data encryption and key management, followed by identity and access management, and then network protection are seen as the most important deterrents against insider threats. Ultimately, as IT assets swell and business data is increasingly distributed across big data platforms and cloud-based services, the risk presented by the insider threat is only going to increase. For organisations seeking to defend themselves, a data-centric approach to security that starts and ends at the server level is needed. Although controlling mobile devices remains a lingering concern for many businesses, these devices are used as the source of access to data held in corporate servers and data centres. Equally, looking to solutions that monitor data access to identify inappropriate user activity that scales with growing security mandates and requirements without diverting an inordinate amount of IT resources is essential.


Alan Kessler is CEO of Vormetric