The Dtex 2018 Insider Threat Intelligence Report continues to lead industry discussions about how frequently the insider threat occurs in public and private sector organizations. Last week, CSO’s Christopher Burgess dove into the report in “How pervasive is the insider threat in your company?” Burgess’ story looks at all insider threat types active today and provides comments on ways to reduce associated risks.
GDPR: Still Much to Do
Dtex EMEA VP Mark Coates penned a timely piece for Dark Reading revealing further how regulations designed to improve security and privacy can actually end up eroding it. In “How GDPR Could Turn Privileged Insiders into Bribery Targets,” Coates explains why this headline is valid:
GDPR mandates hefty penalties for companies that are breached. Penalties can reach as high as 4% of a violators’ annual revenue. (Remember, Google and Facebook are already facing $9 billion in fines). This means that in many cases, penalties will far outweigh the actual cost of a breach, which criminals know.
Rather than auction stolen data to fellow crooks for pennies or try and exact a ransom to unencrypt it, criminals will start to ransom stolen data back to the organizations they heist it from in exchange for not exposing it publicly. The extortion price will be substantially higher than what could be earned on the Dark Web but significantly lower than an actual GDPR breach fine. Paying extortion may create an ethical dilemma for companies, but it will make smart business sense as it will be much lower than financial penalties.
Privileged insiders are central to this scenario. Cybercriminals will be motivated to bribe them, as holders of the kingdom’s keys, into giving up their credentials. Once criminals have hold of these, they will have an opportunity to earn payouts way beyond anything ever seen in the past.
Bribing insiders will only get easier. According to Ian Thornton-Trump, cyber vulnerability and threat-hunting lead at Ladbrokes Coral Group, writing in Tripwire, GDPR privacy regulations will actually shield criminals’ operations in some cases. Other studies have shown that employees are willing to sell passwords. The promise of a reduced risk of getting caught combined with getting a piece of a substantial extortion payment may be more than many people can resist.
He concludes with four steps organizations can take to reduce risk.
More Dtex News …
Last week, Dtex CEO Christy Wyatt contributed a byline to Chief Executive Story last week where she had an opportunity to share insights about her personal leadership style and how she applies it to her role at Dtex. Wrote Christy:
There are two signs on my office wall. One says, “Life is Short, Do Stuff That Matters” and another says, “Get It Done.” Both speak to what connects me to my working life and to the culture we’re building at Dtex Systems.
Read the full story at: Focus (you don’t have as much time as you think)
Also last week, Dtex Insider Threat Analyst (EMEA) Katie Burnell was featured in Dark Reading’s new “Women in Security” list, which highlights women who are driving change in cybersecurity. Read the full profile at: 10 More Women in Security You May Not Know But Should.
Vulnerable Humans Continue to Drive Data Breaches
Last Monday, UnityPoint Health reported the cause of its recent data breach to the California Attorney General reporting site. While the detail in required breach notification letters varies, it reads as if UnityPoint is quite clear about what happened. According to UnityPoint:
Our investigation shows that our organization received a series of fraudulent emails known as “phishing” that were disguised to appear to have come from a trusted executive within our organization. The phishing emails tricked some of our employees into providing their confidential sign-in information which gave attackers access to their internal email accounts between March 14, 2018 and April 3, 2018. Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients. While unauthorized access to patient information may have occurred, no known or attempted misuse of patient information has been reported at this time.
Our investigation and outside experts’ review indicate that this series of phishing emails was part of an attack on our business email system. According to computer forensic experts and law enforcement, these types of attacks are usually financially motivated. The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization, rather than on obtaining patient information. Based on our investigation, we believe the perpetrators were trying to use the email system to divert payroll or vendor payments.
This recent data breach is yet another example of how frequently and easily organizations’ most trusted insiders are fooled by external attackers. It is also a reminder of how often organizations fail to provide employees with protection against attacks. To learn more about the problems vulnerable humans create, read: Introduction to the Insider Threat: What It Is and Why in Matters.