Why your most trusted employee could be your biggest threat

Posted by Gemma Sirett on April 17, 2019

95% of cyber security breaches are due to human error[1]. It could be you. The best bit? You probably won’t even know you’re doing something wrong. You have inadvertently just become an unintentional insider threat.

What’s an unintentional insider threat?

A person becomes an unintentional insider threat when they unwittingly allow a cyber attacker to achieve their goal – whether that’s a data breach, access to systems, or diverting payments to a criminal’s account. This can be through negligence or lack of knowledge, but can also be a result of just doing your everyday job.

Unintentional insider threats are particularly dangerous because the traditional methods of identifying insider threats don’t work – they don’t try to hide emails or files, because as far as they’re aware, they’re not doing anything wrong. If an attacker presents themselves as a legitimate person with the right credentials to request a change, the unsuspecting employee will probably respond exactly as the attacker was hoping.

Trusted employees have access to company-sensitive information, assets, and intellectual property, and permission to make financial transactions – often without requiring any further approval. Threat actors target these privileged, trusted people – impersonating suppliers, regulators, and known colleagues – and try to encourage them to do something they have permission to do, but shouldn’t.

“Staff authorised to access sensitive information, manage financial assets, or administer IT systems will be of greater interest to an attacker (and may be the target of a sophisticated spear phishing campaign)." [2]

Why are these threats so prevalent?

Email allows threat actors to communicate with users with almost no defensive barriers between them. Even the most diligent employee gets distracted, rushed, or slightly too tired, which is all it takes for a malicious email to achieve its objective – whether that’s clicking a link, opening an attachment, or trusting the email’s source enough to reply. You don’t expect to be attacked in your safe office environment – threat actors prey on this perceived safety, to catch you off your guard and socially engineer you into doing something you shouldn’t.

Payment diversion fraud is a well-known method of attack, where adversaries pose convincingly as an existing supplier, and request your trusted, authorised employee to change their payment details due to a security incident, or other such urgent, yet credible, situation. This type of fraud doesn’t always happen over email either – phone calls, letters, and even faxes can be used by attackers, in an attempt to avoid detection.

We all know what a spam email looks like, but 97% of people are unable to identify a sophisticated phishing email[3]. This is hardly surprising when you consider that there are, comparatively, so few highly-convincing fake emails – because you don’t see them every day, you’re not always looking out for them. Then there are some methods of impersonation you can’t realistically be expected to detect – for example, spotting the difference between a 1, l, and I (1, L, and i, respectively). Attackers know you’re not meticulously scanning every email for tiny details like this, so they take advantage. Read our blog post on CEO fraud, which covers impersonation like this in more depth. If your email security currently relies on users correctly identifying malicious emails 100% of the time, your defences are going to succumb to attack.

But how can you prevent the unintended?

90% of organisations feel vulnerable to insider attacks[4]. Monitoring normal access and behaviour patterns can give early warning signs of potential intentionally malicious activity, but the same can’t be said for unintentional insider threats. The attacker’s request could be comfortably within the scope of your daily duties.

The information available to users is often insufficient for them to determine whether an email is legitimate. As such, you should be suspicious and challenge requests, especially if they’re unexpected or urgent. Checks should also be put in place for a second pair of eyes to confirm certain requests before any action is taken, for example, changing payment details or making unscheduled wire transfers. If the request is for a financial transaction or asks for sensitive or personal information, phone the person who made the request (or better still, speak to them face-to-face) to confirm it’s genuine.

If you’re ever in doubt, following best cyber security practice is always a good place to start. But there’s only so much humans can do…

CORVID Email Protection scans every inbound email to detect what humans can’t. Our clear traffic light banner provides the information you need to make an informed decision about an email’s nature and legitimacy before acting on it, making it easy to avoid becoming yet another unintentional insider threat. See the difference the banner makes – would you have spotted the phish?

Punycode-email-banner-1
With the CORVID Email Protection banner, it's easy to see the email doesn't come from where it appears to come from.
Footnotes
  1. Cybint, ’13 Alarming Cyber Security Facts and Stats’
  2. NCSC, ‘Phishing attacks: defending your organisation’
  3. Dashlane, ‘Phishing Statistics: What Every Business Needs to Know’
  4. Cybersecurity Insiders, ‘Insider Threat Report’
  5. DMR, ‘100 Frightening Cyber Security Statistics and Facts’