The case is still very much in the news and is still causing concern. Personal information, including the social insurance numbers of 2.9 million Desjardins members, was stolen by an employee of the institution.
If it wasn’t already, this confirms the seriousness of this type of IT attack from within.
In the text that follows, I use the misfortune of Desjardins to illustrate my point on IT security. Of course, there is no point in pointing the finger at this institution, since it is far from the only organization to have been the victim of internal attacks.
What is an insider?
Most of the time, when we think of internal threats, we have in mind the malicious insider who wants to intentionally cause damage to an organization. These insiders are generally motivated by greed or revenge.
However, not all offenses are intentional. The vast majority of incidents are accidental. It can be a badly configured firewall, the disclosure of sensitive information in an email, or being a victim of a phishing attack.
There is also the careless insider who, like the accidental insider, has no desire to harm, but may cause harm because he does not know the policy or procedure associated with the data he processes. Take the example of a person who takes information with them after leaving a company without understanding that it is information that belongs to the company.
This is what makes the internal threat so risky. Reliable employees can make mistakes or can have their credentials stolen without it being their fault. Employee errors and negligence are the main causes of data breaches, not malicious intent.
Internal IT attacks are on the rise
According to the survey Insider Threat Report 2019 by Bitglass, 73% of respondents reported that internal IT attacks have become more frequent. In 2017, only 56% reported the same.
In addition, 59% of the companies surveyed reportedly suffered at least one such attack in the past year.
How to ensure a person authorized to access a certain type of data, cannot use it in an unauthorized way?
Regardless of the type of threat, you must protect the critical data of your organization and your customers.
The first action is to identify the most critical assets, where its value can far exceed the costs associated with securing them. In the example of Desjardins, this could be the personal information of its members.
The second action is to establish strict data access control. This includes controlling who can connect, when, where, for how long and how often. The principle of least privilege must be implemented in order to grant access only when necessary, and to revoke it when the need ends.
This approach must also include appropriate password management for employees and subcontractors. In the example of Desjardins, the employee had access to the confidential data of customers. But in terms of his duties, did he need access to the data of 2.9 million customers? If yes, could the data have been anonymised?
Did the employee's functions allow him to download such a large amount of confidential data? The Quebec Finance Minister announced that he had agreed with Desjardins on tightening their governance and risk management as part of the assessment initiated in collaboration with the Autorité des marchés financiers.
The third action consists of recording, in a way that cannot be altered, any operation on access privileges.
The fourth action is to detect, ideally in real time, any non-compliant attempts in order to prevent attacks. In the example of Desjardins, obviously this layer of control did not seem to have worked, since there was no alert.
Companies that want to succeed in the current dynamic and competitive environment, must ensure their security and the protection of the data they are responsible for, by controlling not only external attacks but also internal ones.
If insiders represent such a big threat to businesses, it's because they are often able, willingly or negligently, to bypass security measures, creating a blind spot for those in charge.
This is why it is imperative for companies to protect themselves to the extent necessary, depending on their specific situation.