LinkedIn, Yahoo, Adobe, Dropbox. All of these hugely popular sites have suffered significant hacks in recent years, exposing hundreds of millions of innocent users' details to criminals.
In light of these attacks, it has specifically highlighted the real threat facing companies, even those that live and breathe tech. Speaking at the inaugural WIRED Security event in London, Sadie Creese, head of cyber security at the University of Oxford, explained how businesses and their employees can become resilient to such insider threats.
“For longer than we know, people have been trying to hack into our systems,” Creese told the audience. “No matter where you work – there is some risk of an insider threat.”
Recently, the Office of the Inspector General performed a cyber security audit after it was found that a number of weaknesses were found in the US Secret Service. Discoveries included inadequate system security plans and inadequate access and audit controls. These types of vulnerabilities open up the possibility of insider-threat activity and privacy violations.
“Over the years, we’ve invested resources and money to ensure it’s hard for people to break into our systems - but the problem is that you could be hacked by someone from the inside, with valid access to some part of your system that gives you access to your digital infrastructure.”
In light of the cyberattacks on actors such as Jennifer Lawrence, Creese explained how the cloud now poses a larger threat for corporations. “I now no longer have to hack 50 organisations, I hack one cloud and I get every single employee using that cloud.”
Creese spoke about the struggle of not only stopping threats, but also how we identify and define an insider threat. “One of the reasons we’re not as equipped as we should be is because we’re not dealing with the people and technology in tandem,“ she continued.
"People either talk to you from a technical perspective, or from a people perspective and the psychology of threats. Unfortunately, what we’re not great at is planning and orchestrating across those platforms.”
So what can you do - as an organisation, or as a CEO of a company - to protect yourself from a risk of hacking? According to Creese, one of the ways you can help is by being more aware of the people that make up your company, and make sure they’re not going to be coerced. “You need to become more mindful.”
“You need to ask what it means for people in your organisation. People under extreme forms of pressure in their lives may be more open to coercion.”
She also explained how knowing the patterns of your company - so you can spot an anomaly - is key to spotting a threat before it gets too big. “You need to know who you are and what you are as an organisation.”
Speaking from past experience, Creese emphasised that insider threats don’t need to come from someone with a strong technical background. “They don’t need to be that well equipped. We’ve seen people go in with boxes, giving them to employees to plug something in. All they have to do is put the correct cable in.”
Ultimately, diversity, the ability to see anomalies and being mindful of a company makes you more resilient to an insider threat. However, the risk is always there. “You’ll already have problems from the inside - take it from me.”
Creese is director of the Global Centre for Cyber Security-Capacity-Building at Oxford University's Oxford Martin School, a research centre.
She has previously spoken to WIRED about the complexity of online systems and how the sheer scale of data we're creating will lead to unrecognised risks.
Creese began her career as a computer scientist, then worked for the UK Ministry of Defence and security company QinetiQ, before returning to academia in 2007.
This article was originally published by WIRED UK
