Morrisons should be a lesson on the costly consequences of insider threats
What can other companies learn from the class-action lawsuit facing Morrisons?
The recent landmark verdict from the Morrisons supermarket case should serve as a wake-up call for companies of all shapes and sizes to the perennial danger of insider threats.
To refresh your memories: former employees sued the supermarket chain for mishandling their payroll information, after it had been purposefully leaked online in an act of a revenge by a disgruntled worker.
This represents a sea change in how these cases are dealt with, as it is the first class-action lawsuit of its kind.
Morrisons may now be facing a sizeable bill to compensate staff affected after the judge in the case held the company "vicariously liable" for the actions of the irked employee.
While the case has been appealed by Morrisons - and even if it doesn't win it may not be required to pay damages - it undoubtedly sets a precedent for businesses who hold data on their staff. The issue may stem from one malicious individual in a position of responsibility, but the repercussions can now be severe and company-wide.
Morrisons may now be facing a sizeable bill to compensate staff affected after the judge in the case held the company "vicariously liable"
As such, it's never been more vital for organisations to lock down their data and hunt threats in a truly proactive manner, rather than waiting for an attack to happen and then scrambling to remediate it. Companies focus their cyber investment on external threats, when instead they should also concentrate on what lurks within.
Of course, it's not always the case that insider threats are purposeful and malicious. It may be a term that evokes cloak and dagger espionage, but 'insider threats' covers a plethora of internal vulnerabilities.
Social engineering carried out by nefarious hackers means that it's possible for anyone within a company to fall victim to a targeted cyber attack. It could be that someone in a call centre takes pity on an individual who claims they can't remember their banking password and gives them a few helpful hints; or an employee could be responding to emails that they think are from the CEO.
When it comes to social engineering, all employees within an organisation can prove to be vulnerable targets. A CFO may be a hacker's primary goal, but they could also prey on an unsuspecting intern or junior team member to get their desired information; all it takes is one door to be opened for the rest of the building to be at risk.
The Morrisons case indicates that, regardless of whether malicious or accidental, the insider threat is becoming increasingly dangerous as the repercussions become more severe.
So, how do you go about solving such a problem?
First, organisations need insight into how data traverses the network in order to build a strong defence that actively protects all stakeholders from suspicious activity.
Alarm bells should ring if Ted from Sales is accessing HR data three floors away from his desk at 12am
Within any organisation, it's vital to establish clear patterns of ‘normal' human behaviour among all employees, in order to subsequently identify abnormalities in these patterns.
For example, a system that flags when an employee is logging onto the company server at an unusual time or location, or another employee is accessing a file outside of their usual sphere. Alarm bells should ring if Ted from Sales is accessing HR data three floors away from his desk at 12am, for sure.
Of course, IT departments are typically understaffed and overworked, so this is where the value of modern technologies, powered by machine-learning, becomes most apparent; statistical analysis that removes excessive work from humans is key.
In turn, such technologies - which entail network-monitoring capabilities - enable complete visibility of a company's data, so that IT staff and the C-suite know what's happening with company data both on and off the internal network. Remote workers, after-hours commitments and changing practices all enable increased threat points for data.
On the human side, to help combat this, frequent and truly interactive training is crucial - so, definitely not a 30-slide deck. Regular social engineering tests with staff rewarding winners with prizes; penetration testing; and even simply printing out some engaging posters to stick on the walls can help - certainly better than hiding helpful information away in a staff handbook buried in a shared drive.
This can all contribute to a more open security culture, encouraging security evangelists across the business as a whole, rather than just the IT teams. Also, should someone find themselves duped, it's very important that anger is avoided and instead a thorough explanation and support is provided; after all, these attacks are only going to get more sophisticated.
Finally, the basics of secure passwords, which are changed regularly and ideally stored in a solid password manager, cannot be overstated; educating employees on the perils of recording such information on pen and paper will go a long way.
Jamie Graves is CEO and founder of ZoneFox.