How to prevent an Ashley Madison–style hack by company insiders

A cybersecurity expert shares 5 key steps for identifying and stopping bad actors inside your company open on a laptop screen

(Carl Court/Getty)

Yesterday, the hackers who stole sensitive user data from the online extramarital affairs website released their 9.7 gigabytes of stolen data. The trove of sensitive information includes account details for some 32 million user accounts, including addresses, phone numbers, and partial credit card and payment information.

So how was a company built on keeping secrets, and which promises “100% discreet service,” caught defenceless against a data breach that threatens the fundamentals of its business? CEO Noel Biderman of Avid Life Media, which owns the website and several others, believes it’s an inside job. When the data breach was first announced last month, Biderman said: “It was definitely a person here that was not an employee but certainly had touched our technical services.”

Kevvie Fowler, Partner at Advisory Service, Forensic at KPMG, says the number of insider attacks on companies being driven by external influences is on the rise. “People on the outside find it easier to have someone on the inside provide them with the data in order to steal information through extortion or ransoms,” says Fowler. “Even employees with good intentions can be manipulated by these cyber criminals that come from outside or inside the organization.”

Last year, security firm AlgoSec’s threat survey said 73% of security managers cited insider threats as their biggest concern in 2014, up from 62 per cent in 2013. Fowler says insider attacks are usually driven by financial gains, disagreements between the employee and employer or regarding organizational policies, and in some cases revenge.

In order to prevent a data breach, Fowler recommends companies to take the following steps:

1. Identify the data desirable to criminals

You need to know what they are and where they’re located, says Fowler. “Without knowing where the information is, you don’t know what controls to put in place to help prevent unauthorized disclosure of that data,” he says.

2. Control access to sensitive data

Fowler advises to only grant people with a business requirement to access the information as a way to lessen the risk. “This also serves as a deterrent,” Fowler says, “keeping people who aren’t authorized to view that data from getting access to the information.”

3. Encrypt your data

Protect the information by restricting access to the data  by network permissions, encryption or tokenization.

4. Make monitoring known to employees

Log-ins serve as a deterrent to employees when they know their actions are actually being monitored, Fowler explains. “Ensuring there’s awareness regarding what information they’re accessing lets employees know that there are controls in place to monitor who has access to what files,” according to Fowler.

5. Perform background checks on employees

Fowler advises companies to perform background criminal check on employees when they’re hired to identify the high-risk workers.

Companies also need to identify existing employees who started in the organization with good intentions, but are slowly becoming the high-risk sources of attack by examining their behaviour. He says usage of gambling sites and political sites are triggers that can push employees to become a higher source of organizational risk.

Software solutions are also available to organizations to fight insider attacks. Ottawa-based Interset, for instance, offers companies a way to detect insider and outsider threat by using behavioural analytics, machine learning and risk forensics.