All names have been changed to protect the identities of the people in this real-life example.
Here’s a true story. Matt, a ‘disgruntled employee,’ got mad at his employer. Deciding to get even with his organization, he created a script to steal his own credentials, sending them to an off-site server. It was a genius scheme—he used a VPN to manage the server and attacked the company to steal their data with those same credentials. He would never have gotten caught except for one thing—a fluke internet outage at his house where the data was downloading to his home computer. In the split second it took the computer to reconnect to his VPN, the FBI found the traceable evidence they needed. The FBI caught Matt, but he should never have been an issue.
In the last month, the cybersecurity landscape has changed. Each of the previous three infrastructure bills signed included billions and billions of dollars for cybersecurity education. The emphasis on dramatically improving the quality and volume of cybersecurity training in America is incredible. Here in Western North Carolina, the state has funded the Carolina Cyber Network that will be launching new programs in 2022. At Carolina Cyber Center, we also have the opportunity to leverage funds from the State of North Carolina, NSA, CISA, and the Department of Homeland Security, to develop talent on behalf of employers in our region. Change is happening all around, but the main danger to the cybersecurity of small businesses hasn’t changed: insufficient basic cyber hygiene (outlined in prior posts) and the insider threat. Matt’s story is just one example of what this can look like, and it is an issue for all small businesses.
We get that, and we also understand that the need to fight insider threats is a here-and-now issue for small businesses and an expensive one. The sophisticated tools and software (e.g., expensive and sophisticated tools for intrusion prevention and detection, threat hunting, network traffic behaviors, dark web monitoring, etc.) help, but here are examples of compensating controls that can work excellently for a small business. For example, a manual spreadsheet (updating it continually is a must, both semi-annually and when personnel changes occur) shows that a department lead or somebody in a position of authority approved (without the administrative rights to do so themselves, retaining a separation of duty) elevated security privileges to somebody on their staff. Ask the question, ‘Did James give Matt permission to have these elevated privileges and access to this financial data, human resource data, or the software repository database?’ At the same time, look at the opposite question. Perhaps Matt used to have access to this data, but now a conscious and deliberate review is needed to say that he should not have access anymore (e.g., as he steps into a new role). But don’t stop there. Make a checklist that moves the spreadsheet decisions into the actual removal of privileges and create a record of the approvals, adds, changes, and deletes.
The insider threats against small businesses won’t be affected immediately by governmental-scale bills. However, as a small business, you can be a part of the change that those bills represent. The fewer vulnerabilities there are in our everyday businesses, the fewer vulnerabilities our regions, states, and nation will have. Let’s make a change, not just from the governmental level down, but from small businesses up.