Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

Don’t forget the inside threat

Judging by the types of breaches we regularly hear about in the news, from the recent Facebook hack to China’s secret implantation of spy chips inside motherboards (which I’ll be discussing in my next article), it would seem that the biggest threats to our digital security are primarily external. Social engineering attacks such as phishing scams are especially prevalent and tend to stem from outside perpetrators with financial or political motives. Considering our near-constant exposure to these types of attacks, it may be hard to believe that the greatest cybersecurity risk an organization faces originates internally. 

The fact is, the state actors and nefarious basement-dwelling hackers we typically visualize are a less likely threat than the human risks to security that exist within our own organizations. Employees, partners, and third-party vendors introduce two very distinct, though equally damaging, types of threats to your firm’s cybersecurity posture: unintentional and malicious. Unintentional threats may include an employee falling prey to a phishing scam, a browser exploit, or some other kind of hack that compromises the data to which they have access. Wi-Fi attacks and the possibility of having a device stolen are also very dangerous and common, especially as people spend a greater amount of time working remotely. 

I once had a frantic phone call from a young attorney who had left their laptop in their car overnight. The next morning it was gone. Luckily, the laptop had been encrypted, so the potential for damage was somewhat minimized. However, it is clear that unintentional threats pose great risk and can be very costly to a firm financially, reputationally, and operationally. Typically, diligent employee education programs and regular training (especially following regularly scheduled security assessments) can improve defense strategies and establish reliable reporting mechanisms when unintentional security issues arise. Communication within organizations is key when it comes to responding to these instances head on.

Insider attacks

Conversely, malicious insider threats are impervious to training efforts and may actually prove more severe if an employee has extensive IT knowledge. A fairly consistent trend I have observed in conducting routine organizational security assessments is that management issues with access controls are fairly common. When too many people have too much on-demand access to too much information, there is more room for things to go wrong (and more seriously wrong). The more access a disgruntled employee has, the more successful their attack is going to be. 

In one unfortunate instance, a concerned firm contacted me with the suspicion that a former employee was continuing to access their systems remotely. Furthermore, it was suggested that perhaps this employee had also been sending confidential information to a private email account in the months leading up to their departure, with the intent to begin a competing firm.

The person was also suspected of downloading data beyond the scope of their own active cases to a USB device. Upon reviewing the details of the case, it turned out that this firm had not collected the employee’s devices upon their termination, and that the employee had continued access to the firm’s confidential client and case information. In spite of unusual network activity leading up to the former employee’s departure, nothing was done to discover what was being downloaded en masse, and the employee’s access controls remained the same even after they had announced their intention to leave the firm. 

Internal oversight is critical

This lack of oversight and clear termination protocols opened the firm up to a host of security issues that upper management had not anticipated. Client data was compromised and the firm’s reputation was marred by the incident. In instances of malicious insider threats, no amount of firewall protection or penetration testing can safeguard a firm from attacks that require no hacking at all. Unregulated access controls, lack of network monitoring, and weak termination policies work together to create a prime space for these threats to flourish—and often it’s too late once the damage is noticed. 

From accidentally clicking a link in a phishing email to purposefully stealing confidential data, the insider threat is the most dangerous security issue your firm faces. While these attacks can be very severe in and of themselves, the relative ease with which these threats can be brought to fruition makes them especially scary. For unintentional threats, as I’ve noted in previous articles, education is key. Knowing what a scam email looks like, knowing to whom information can safely be given, and recognizing the typical threats are critical to mitigating the risk. Employees who are unaware of recent cybersecurity trends are not well-equipped to handle them when they arise. But malicious threats require diligence on the part of IT departments and upper management. Having appropriate protocols in place for potentially disgruntled employees, termination practices, and access controls are all important elements of protecting key data and assets. Acknowledging the insider threat is may be even more important than staying apprised of external threats to your firm.

MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 trials. He is a member of the MN Lawyers Professional Responsibility Board.  

Leave a Reply

Articles by Issue

Articles by Subject