Threats don’t come only from outside. One study estimates that almost 40% of IT security breaches are perpetrated by insiders. Some reports claim that over 50% of enterprises have suffered an insider attack in the last 12 months, while 90% declare themselves to feel vulnerable to insider attacks. Why do these attacks occur? In general to make an immediate profit but sometimes too for motives of revenge or future profit, such as carrying off data to a new job.

IT Digital Media has brought together cybersecurity experts to debate insider threats, which are becoming increasingly common and costly. Javier Osuna, GMV’s Manager of Cybersecurity Services and Consultancy Division, spoke about his experience and gave his opinion on insider threats, stressing that digital transformation processes are inevitably blurring the physical and logical limits. Aspects such as time to market, mobility, telework, the association and subcontracting of firms and individuals have opened up the field and lengthened the value- and supply-chains. As a result insider threats are now becoming an increasing peril, calling for a raising of awareness and a rethink in line with borderless protection.

When dealing with such a broad-ranging concept as insider threats, Javier Osuna argued that we should focus on the perpetrators and their motives. Who are the insiders and what are they after?

The insider is the essential link of a “dark chain” of information supplies, necessary for other purposes driven by various motives (political, economic, social, criminal, etc.). Their hazardousness resides in the insider’s trusted position and ease of access to sensitive systems or information without triggering alarms. This is a complex scenario in which authorized persons are those who access the sensitive information, the destination of that information then determining whether or not an incident ensues.

The motives are diverse, such as hacktivism or organized crime, industrial espionage or even inter-country spying and finally the inadvertent result of careless or less conscientious workers, or sometimes even victims of extortion.

GMV keeps a continuous watch on all these modus operandi to ensure secure use of IT recourses and all information handled by any organization, developing use models (each organization has its own use cases), to weigh up the danger of misuse of sensitive information, its ease of access or visualization and requirements for its distribution. This enables us to break down any information-leaking incidents into various types, ranging from monitoring of any activity with the organization’s data, giving advice on a “Forensic Readiness” basis to build up investigation skills against incidents of this type and finally establishing warnings of information misuse.

If money goes missing this sooner or later comes to light because it changes location or owner. Detecting the modification, duplication or access of information, however, is difficult. The owner, after all, still has it. On most occasions, therefore, we have to look outside to pinpoint information leaks. We at GMV complete the circle on the strength of CERT services and cyber-surveillance processes.

In short, much is said about the detection of anomalies, but we need to be careful here, because normality is not always desirable. The worst threat is an undetected one still considered to be normal.

• VIDEO OF THE COMPLETE DEBATE
• ITDM SPECIAL – INSIDER THREATS