Myths, statistics and holistic security – are insiders the real problem?

The world of cybersecurity is filled with conflicting statistics, based on outdated data, infused into marketing material promoting products. Lately, though, a new buzzword has entered into the marketing jargon of the industry: Holistic. The term is applied to products and services that approach security not just from outside a network but within. It might not be a bad idea.

The debate regarding where the biggest vulnerabilities are goes back more than a decade. A 17-year-old FBI report claimed that 80 per cent of data breaches originate internally. In 2009, Michael Kassner, writing for TechRepublic, said the report didn’t really explain what constituted an “insider.” In his research, Kassner drilled down to define insider as anyone who is currently or formerly an employee or contractor whose permissions are still active. He further defined a security breach as an intentional act. However, conventional wisdom (CW) combines all that with unintentional breaches (like leaving a password on a note taped to a computer monitor).

As time has passed since Krassner’s research, the conventional wisdom is proving to be fairly divergent from reality.

External/Internal threats are equal

Statista, a statistics company, uses an algorithm that averages results from multiple studies. In a recent report on the site, data journalist Martin Armstrong demonstrated that the problem is much more nuanced. His report stated that the majority of attacks are an inside job, but not as great as “CW” states. His report showed that 40 per cent of attacks are externally initiated, but 60 per cent are internal.

Now it may be that the internal problem is decreasing because of the rise of cybercrime worldwide, but the internal threat is still a bigger problem. In the dozens of Cyber Protection Magazine interviews in the past year, almost all were focused on the external 40 per cent, leaving almost two-thirds of the threats ignored. In fact, some of the companies believe that the internal threat is just not that big a deal.

For example, we interviewed a company that placed cryptocurrency bounties for criminals infiltrating a network with a promise they will not be pursued if they just take the bribe. After that, the vulnerability can be patched. We asked several questions, including:

  • Can a criminal steal the BitTrap customer list and harvest the bribes?
  • What about legislation forbidding the paying of ransoms?
  • Can current or former employees harvest the bribes and then quit?

The CTO dismissed all those scenarios, which is not unusual for many cybersecurity tech companies. It is noteworthy that several cybersecurity experts had been asking those same questions on Twitter when the company put out their announcement, with no satisfactory answers. The lack of news coverage outside of their news release is noteworthy.

Hygiene is not enough

While internal attacks are intentional 60 per cent of the time, according to the Statista report, 15.5 per cent of those attacks originate from human error. That means the universal application of basic data hygiene, often touted as the best defence, is a myth. That only fixes 15.5 per cent of the problem. Hygiene is a good idea, but it leaves a lot to be done.

Related:   The Talent Shortage Crisis in Cyber Security and How to Overcome It

Daryl Crocket, CEO of the security research firm ValidDatum, thinks the Europeans have the proper response: Make employees liable for the breaches they facilitate, even if they do it without malicious intent.

“The US laughed at the EU for implementing the GDPR. ‘Oh, those silly Europeans and their invasive regulations.’ Who’s laughing now?” Crockett said the US is now scrambling to match the EU data regulations. She called the California Consumer Privacy Act the first acknowledgement of the EU’s wisdom. But it didn’t go as far as the GDPR. Under the GDRP, European employees are written up when data put on personal devices gets leaked. That goes a long way toward reducing human error.

“The Europeans have baked in data security by design. In the United States, there’s never been an incentive to get to that level of protection for a company’s digital assets.” She explained.

Instead of allowing the term “zero-trust” to be a marketing buzzword, she calls it a corporate methodology. She recommended “tokenizing” data so only employees and vendors with an explicit need to access sensitive data can do so.

Creating an Upheaval

One company that seems to have created such an ecosystem is Upheaval. The company offers blockchain technology to secure data internally and externally while at the same time enforcing digital hygiene. In short, a holistic zero-trust methodology.

Blockchain applications are generally monolithic, power-hungry, and processing-intensive. Upheaval’s approach, called IronWeave, breaks up the data streams into multiple blockchains. Only authorized members of an enterprise with an encryption key have access to specific blocks of the network. Each key is unique and traceable to whoever accessed the data.

“Our blockchain data fabric is that all activities are immutably captured, and creates a new secure block with any access attempt,“ said David Iseminger, CEO. “We’re not creating porous walls around systems that constantly need to be patched. It’s a truth machine with immutable, untamperable capture of whatever occurs inside a company.”

IronWeave might be the first holistic data security product available that won’t break corporate budgets. It locks down the internal threats and weaknesses while eliminating external vulnerabilities. Malicious actors are traceable and isolated before any data is exfiltrated.

An audio interview with Iseminger is available here.

Lou Covey

Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.

Leave a Reply

Your email address will not be published. Required fields are marked *