Tesla Feel The Heat Of An Insider Threat
June 2018 by Colin Tankard, Managing Director, Digital Pathways
Tesla, the luxury electric car maker, seem to have fallen foul of an insider threat episode, with Elon Musk, warning that a disgruntled staff member had altered the company’s IT system code, harvesting highly sensitive information and giving it to others.
Traditionally, the term ‘insider threat’ does indeed invoke images of malicious employees lurking in the shadows of an office attempting to steal company secrets or bring down the system. The reality is, that this form of ‘evil insider’ is infrequent at most companies, though clearly not Tesla, with instances of such threats occurring once in a ‘blue moon’. The real issue and biggest risk to confidential data, is the negligent employee, more commonly categorised as the ‘Unintentional Insider Threat’.
It is common that when a cyber security professional attempts to speak with C-level management about mitigating and even preventing the Insider Threat, the feedback they receive is along the lines of, ‘everyone here is happy. We don’t have disgruntled employees, so we don’t have to worry about Insider Threat!’
Perhaps that is true. But, if you ‘turn the conversation on its head’ and talk about the Insider Threat as unintentional threats; employees who make mistakes – inadvertently causing harm – executives listen.
A Verizon 2015 data breach investigation report showed that ‘Insiders’ are responsible for 90% of security incidents and of these 29% are deliberate and malicious whilst 71% are unintentional, with misuse of systems, log-in/log-out failures, with cloud storage leading the way.
There is no doubt that organisations that understand, address & focus on minimising the damage from the Insider Threat, are going to be the companies that win. And, remember, even if your technologies are not obsolete, you will still need to augment your security protocols for Insider Threats and Unintentional Insider Threats.
Many people think about Firewalls and other deterrents to keep an outside threat from accessing systems. However, with an ‘Insider’ most vulnerabilities that exist can’t be removed because, of course, you need your employees to be productive and, in order for them to be so, they need access and special permissions to perform their jobs.
Having clear visibility into employee actions is critical. For example, what happens when the employee wants to download software, or click on an attachment that will not run unless it runs with an administrative login? Your employee has to assess the threat on their own, even though they may not be qualified to do so. Your user believes the threat to be low, but the cyber security professional knows that this particular risk, is high.
One solution is to use an activity-monitoring tool. With these systems the employee, who is performing a risk assessment ‘on-the-fly’ and chooses to download an attachment they are not supposed to, will be shown a pop-up window. The window will tell them that they are working outside of the established cyber security policies. This simple pop-up can stop employees from being tricked or manipulated. You won’t have users determining what is an acceptable risk, because they will receive a policy notification that they do not have permission to perform a task. In short, employees will learn as they go.
Our experience has shown that as we reduce the number of user errors in handling data it enables the organisation to focus on the real threats such as rouge users. We liken it to reducing the size of the haystack to make finding ‘the pin’ that much easier. Activity monitoring tools enable you to easily see which users are doing ‘risky stuff’, record their actions and block any malicious threats to company data.
One thing is for sure, the Insider Threat is not going to get any better nor is it going to go away. In fact, the opposite is true. So, take steps to limit your company’s risk to Insider Threats whether innocent or not and don’t open yourself out to attacks such as Elon Musk has had the misfortune to experience.