By Dave Adamson, CTO, Espria
In today’s age of technology pervasion, news headlines are rife with stories of data breaches, the actions of opportunistic cybercriminals and the financial implications of poor security hygiene. The threat landscape is constantly expanding, and the ever-increasing data load for businesses means that there are more holes and vulnerable points in a company’s cybersecurity net than ever before.
The majority of business and IT leaders are well aware of the spectre of the hacker and the growing number of malicious cyber actors and groups endowed with the skills and experience required to infiltrate modern systems. Keeping these actors at bay is of paramount importance, but organisations often fail to realise that one of the biggest dangers to their data security comes from their own employees. This could be one of two different types of person: a scorned employee bearing a grudge and wishing to exact revenge or, more likely, an individual who lacks the appropriate knowledge to keep sensitive data safe.
With this in mind, building a watertight cybersecurity strategy is not just about shielding a company’s assets from the outside, but also making sure that internal access to the most sensitive data is tightly governed so that only the most highly trained personnel are able to handle mission-critical information. This is where privileged access management (PAM) will play a major role, by automatically shutting off data to those who are not cleared to access it. Yet Gartner has most recently reported that traditional PAM processes are insufficient for modern cloud scenarios, such as dynamic cloud environments and cloud infrastructure entitlements.
Coupled with a philosophy that embraces regular training for employees at all levels, businesses stand the best chance of ensuring their data remains secure by giving as much time, attention and rigour to their internal cybersecurity strategies as their external ones.
A new era for regulation
Since the advent of the General Data Protection Regulation (GDPR), organisations have been under greater scrutiny when it comes to adequately protecting sensitive customer information. The Financial Conduct Authority (FCA) has added another level of responsibility for GDPR compliance, and with the increase in cyber attacks brought about by war and economic instability, businesses need to ensure they cover all the bases with a multi-layered approach to cybersecurity. Many debates have centred on data sovereignty, the location of stored data and the need to step up efforts to fend off the advances of cybercriminals. However, it is just as important for companies to approach GDPR compliance with their own employees in mind; ensuring each and every worker is accessing and managing data in the right way, which adds further weight to the argument that measures such as frequent training and PAM technology are essential components of the cybersecurity mix.
An expanding threat landscape
To highlight the scale of the challenge facing businesses, it’s important to take a look at some key statistics covering the number of recent data breaches. Sophos’ 2023 Active Adversary Report for Business Leaders revealed the most common root cause of attack to be exploited vulnerabilities (involved in 36% of cases), followed by compromised credentials (29% of cases). Businesses continue to have their work cut out when it comes to building a comprehensive cybersecurity strategy. Certain threats may be snuffed out by effective reactive or proactive security measures, but new phishing techniques or malware strains are a constant and evolving threat, all aimed at exploiting the weakest points in your network security.
From an internal perspective, these figures strengthen the case for taking affirmative steps to ensure those within an organisation are prevented from compromising sensitive data. The success of a phishing campaign or malware intrusion is often dependent on human error or a lack of cybersecurity awareness, so it is crucial that those without this level of security expertise receive the necessary training, and also the appropriate technology is in place to closely govern access to certain data.
The danger from within
Alongside everything that is going on outside the business, it is crucial to measure just how prevalent the insider threat has become. Research from CyberArk has shown that more than half of IT professionals believe insider threats, caused by employee layoffs and churn, to remain one of the greatest security dangers facing their organisation, indicating just how seriously people within the IT department are taking the issue. Despite this, the same report revealed that while adversaries are embracing artificial intelligence (AI) to enhance and scale their identity-based attacks with wider resources, security teams are being asked to do more with less as budget cuts widen existing skills and resource gaps.
Businesses can do little to control what is going on in the cybercrime world beyond the boundaries of the organisation, but what is well within their control is the ability to decide who should have permission to access the most sensitive data. Insider threats are a real danger and IT staff are recognising this, but there is still much more to be done to nullify these dangers. Internal cybersecurity policies need to be much more comprehensive than they currently are, and should embrace an approach that clearly and consistently differentiates between who can access certain data and who cannot. Without this, companies run the risk of having their information compromised by their own employees.
What are businesses currently doing?
If the problem of insider threats is to be addressed, maintaining a programme of frequent cybersecurity training and guidance for staff is essential in order to increase their overall awareness, and plug any gaps in their knowledge. However, Mimecast’s State of Email Security Report 2023 hints that this is somewhat lacking within UK businesses.
According to the report, 59 per cent of organisations claim that cyberattacks are growing increasingly sophisticated, with 97 per cent being targeted by email-based phishing attacks. This is a common method through which cybercriminals may aim to gain access to a company’s systems; clearly more needs to be done to train employees in this area coupled with a need for specialist technology to be in place. Training may eventually catch up, but businesses should not bank on this being their most reliable line of defence in the meantime.
How PAM can make a difference
Governing who has access to specific data cannot be effectively done on a manual, case-by-case basis. The time required by an IT department to undertake such an endeavour would make it an impossible task, and working out how best to isolate the use of privileged accounts can be a major administrative headache for IT staff, particularly in larger organisations.
Privileged access management technology can go a long way towards achieving these objectives with minimal hassle to the IT department and wider business. Such software works by automatically separating privileged user accounts and data from a company’s main environment, essentially creating a new environment for this data that is much less likely to be susceptible to a data breach. PAM technology can then protect privileged user credentials so that only the right people have access to specific information, and can immediately flag suspicious activity so that swift and appropriate action can be taken.
In effect, it’s about creating a safe place within an IT system where the most mission-critical data is stored, well away from staff who could deliberately or inadvertently expose it to malicious eyes. PAM software is able to automate this process and monitor the situation on an ongoing basis, freeing up the IT department #to focus on other activities.
Cultivating a positive cyber philosophy
Creating and maintaining a healthy, well-functioning cybersecurity strategy is about making sure threats coming from both outside and inside the business are taken care of. The danger of cybercriminals operating on the outside is well-known, but it is vital that insider threats are given equal attention if cybersecurity policies are to be as comprehensive as they can be.
The value of training cannot be understated; a vigilant, cyber-aware workforce can be hugely influential in keeping sensitive data safe. Organisations should look to step up their efforts in this area, especially as hackers are increasingly using email phishing campaigns as their ‘front door’ to business data.
However, where companies can make a lasting difference in how they manage insider threats is by making sure the technology they have in place is adapted to tackle the risks attached to employee activity. Privileged access management has the potential to be a crucial cog in this machine, by simplifying the process of who has access to what data. By making best use of PAM, businesses will be in the best possible position to reach a point where access is governed automatically, intuitively and in a way that does not effect the smooth running of the organisation.
