How the “12 Days of Christmas” Create Headaches for Cybersecurity Teams
On the first day of Christmas, our sales guy gave to me: A network-crushing phishing scam exploit.
On the second day of Christmas, the finance department gave to me: Two ransomware shutdowns, and another phishing scam exploit.
On the third day of Christmas, the CEO gave to me: Three botnets spamming, two more ransomware shutdowns and yet another phishing scam exploit …
OK, you get the picture by now: If it’s the holidays, your cybersecurity team members may be asking for lots of Advil in their stockings. This is the season, after all, when your executives, middle-level managers, staffers, contractors and other authorized users are often working remotely and multitasking to get everything done before the winter break. Many, of course, are also surreptitiously shopping online on company-owned computers: Two-thirds of employees said they holiday shop online while on lunch breaks, according to a recent survey from Robert Half Technology. Two of five do so on work-issued computers and, worse yet, 55 percent said their employer has never provided to them any information/training about the security risks of such activity.
In other words, it’s hardly a “holly, jolly” time of the year for beleaguered cybersecurity teams, thanks to the ever-present “accidental insider threat” – employees and additional users who harbor no malicious intent, yet invite network/data compromises through their own ill-conceived and frequently careless behaviors. In fact, accidental insiders account for more than one-half of internally caused breaches, according to Forrester.
So who are these people and what sort of activity do you need to monitor? In keeping with the seasonal theme here, we’ll present the following “12 Accidental Insiders” of the holidays, as broken down into four classic categories:
1. Convenience Seekers
Description: They’re typically not “bad” employees. They’re just constantly in a rush, saddled with lots of responsibilities and tasks. Yet, in trying to be productive and accountable, they let their guard down. They include people like …
Sarah in R&D. She’s looking forward to a “Caribbean for Christmas” destination vacation. But she also wants to do work on the plane. So she copies a dozen docs onto her USB drive. Oh, and she bought the drive used from an unfamiliar online vendor to save a few bucks. And, yep, it’s infected.
Bob the senior salesman. Because he’s always on the road – especially as he looks to discount-sell a ton of inventory before the end of the calendar year – Bob can’t get enough of cloud-based storage services to share daily lead sheets with his team. Even services which aren’t authorized by IT.
Tom in auditing. Tom travels all the time, going to regional and international office locations to examine the books. He lives on public Wi-Fi at airports, hotel lounges, etc. And he never bothers to assess the trustworthiness of the source of his connectivity – he’s just happy to log-on!
Description: They’re somewhat tech-savvy – to the point where they believe cyber mistakes are something “other people do.” Here are three of them …
Evan the HR director. He “reads up” on the latest threats, and thinks he can “see” them incoming before they strike. He considers himself a self-taught expert on the topic. Which is why he ignores recommended, baseline precautions from IT, such as activating device encryption or routinely changing his passwords.
Suzy the chief marketing officer. When ad campaigns kick up in December, there isn’t a “latest, greatest” gadget or app that Suzy doesn’t crave – regardless of the vulnerabilities they could bring to the network.
Corinne in customer relations. Corinne firmly believes that the best way to understand customers is to be one. So from Cyber Monday to Christmas Eve, she’s using her work-provided tablet to “shop ‘til she drops,” grabbing every online holiday coupon she can find – even its from an untrusted or unsecure source. If IT sends a company-wide email warning about these sites, she smirks and presses “delete” without calling up the message.
3. Entitled Ones
Description: These folks load up on “privileged user” accommodations. It makes them feel important. Cyber crooks agree that they are, and seek out Entitled Ones as highly valuable targets.
Ingrid in IT administration. There’s no “getting away” for Ingrid, particularly when she’s receiving help desk requests while traveling to see family members during the holidays. She’s so responsive to the requests that she doesn’t always check out the source – a perfect setup for hackers who social-engineer via bogus “emergency” SOSs.
Steve the social media guru. Steve essentially serves as the official “face” of the franchise, posting the latest company news on all of the social media sites – even the ones which are prime attack zones.
Christine the closer. When the deal needs to get done, Christine delivers like no one else. She’ll go anywhere, anytime to “bring that M&A home,” while keeping her laptop in open view for anyone to lurk (or swipe) when she’s in an airport terminal or coffee shop. This is quite risky at this time of year, given the annual spike in travel.
Description: These execs and board members are at the top of the corporate food chain. Because they “call the shots,” they’re not about to let IT tell them what to do. They may remind you of bigwigs like …
Caroline the COO. Caroline hops on the company plane and grabs the nearest smartphone to make decisions “on the fly.” She takes pride in making tough “gut calls,” so caution be damned. That goes for her devices too, which are rarely secured.
Henry the board chairman. For Henry, “work stuff” and “personal stuff” all blur into one, so he uses the same, suspect service for business and private emails. Crooks looking to steal proprietary corporate data appreciate this, because Henry makes their job so much easier.
Dan the CEO. The top sets the tone, doesn’t it? Unfortunately, Dan pushes the troops to “deliver big – whatever it takes” to meet end-of-year goals. Consequently, he dismisses the CISO’s timely warnings about heightened risks this month as baseless “Chicken Little panic attacks” which simply “get in the way of business.”
So deck the halls, make preparations for the office party and otherwise enjoy the celebrations. Our Accidental Insider summaries here aren’t intended to put a damper on festive spirits. They’re presented as hypothetical but very realistic “people scenarios” to watch out for, because there’s always a “cyber-Grinch sliding down the chimney” somewhere. By identifying, anticipating and preventing threat-inviting behaviors, you ensure that the holiday season is a memorable – and safe – one.