The cyber threat. It’s becoming a never-ending game in which criminals are getting increasingly sophisticated, continually raising the bar for companies to defend against. Cyber crime has become a whole industry of its own now: it’s what some people do for a living. We only need to look at the recent global ransomware attack which hit the NHS so badly here in the UK to see what effects cyber crime can have.
But one of the most potent threats comes from within. Indeed, the just-published Harvey Nash/KPMG survey of nearly 4,500 CIOs and tech leaders globally finds that the insider threat is the fastest-growing one of all. It also found that nearly a third (32%) of organisations had been subject to a ‘major’ cyber attack in the previous 12 months – up from 22% three years earlier. Cyber security was discussed at the most recent Board meeting in over a third of cases.
It’s not difficult to see why CIOs (and their fellow board members) are worried about insiders. In today’s service economy, the border between ‘insiders’ and ‘outsiders’ is blurring all the time. Companies now work with a whole ecosystem of suppliers – contractors, freelancers, temporary staff. Complete processes are outsourced to IT and other service providers. Whole teams of people may be managing your IT systems for you on the other side of the world and you have little idea who they actually are.
The result is that we can so easily lose track of who’s an insider and who’s an outsider. Outsiders have become virtual insiders and it is much harder to control what they can do.
Added to that, the threat is so potent because an individual who wants to cause harm doesn’t need to look far to learn how to do so. Watch a few ‘tutorials’ on YouTube, look around on the dark web for some tools: it really isn’t difficult.
So what can companies do about it? Well, there’s no magic answer and the reality is that it is hard.
But it certainly helps if you have some basics in place. The government-backed Cyber Essentials scheme sets out nicely five key practices which are around: strong boundary firewalls, secure configuration of systems, regular patching (updating) of software, malware protection and – the hardest one of all – user access control.
That’s hard enough with your own permanent staff. You need to make sure that new joiners get access to the systems they need quickly – but balance that with not giving them too much access to everything too soon. At the same time, it’s vital to ensure that leavers’ access is disabled promptly when they depart the organisation.
Then you have the issue of people that move around within the company to different roles, acquiring different accounts and access rights over time – you need to ensure that what they no longer need is turned off. All of this requires good coordination of information flows between line managers in the business, HR, and IT.
But of course, it gets even harder when you apply these same issues to all those outsiders who are insiders. Firstly, it means ensuring you have contractual agreements in place with third party service providers to certify they are vetting and checking people thoroughly before putting them on a job (‘joiners’). You need to make sure that they have proper controls in place regarding passwords and access to systems. You also have to set boundaries on what they can sub-contract themselves – to manage when an outsourced provider outsources a piece of that work to someone else.
In addition, you need a solution for ‘leavers’ from your outsourced service providers so that when someone leaves them, they are either suspending that person’s access rights or informing you so that you can do so. This is another thing you need to be contractually specified and managed.
Access management is undoubtedly challenging. But it’s vital that it gets managed effectively. Otherwise the threat from insiders and ‘outsiders who are insiders’ will only grow and grow.
Martijn Verbree is cyber security partner at KPMG. The 2017 Harvey Nash/KPMG CIO Survey, the world’s largest survey of IT leadership, was launched today.