A spate of cyberattacks on big-name companies and institutions, most recently Sony Pictures Entertainment, has managers and investors worried. But there may be a threat that many haven’t considered: In an increasing number of cases, the call is coming from inside the house.
Cyberattacks are typically depicted as third-party assaults by an outside person or entity looking to steal sensitive information. But as reports of hackers infiltrating Wall Street firms and preliminary details of the Sony incident reveal, so-called malicious insiders also present a major hazard.
The danger to financial services was underscored earlier this week, when FireEye, a cybersecurity intelligence and technology firm based in Milpitas, California, released a report describing the crimes of a sophisticated group that has been stealing sensitive deal information from Wall Street banks and asset managers for more than a year.
“What’s different about this group is that they appear to have a Wall Street background,” says Jen Weedon, FireEye’s manager of threat intelligence. “The fact that these folks seem to be insiders is noteworthy.”
According to Eldon Sprickerhoff, founder and chief security strategist at Cambridge, Ontario–based cyberattack protection service eSentire, the group — which FireEye calls FIN4 — used simple technology to ensnare CFOs through e-mail pop-ups bearing each firm’s logo and asking for a user name and password.
Sprickerhoff, who says eSentire became aware of FIN4 in November 2013 and has since been advising its clients of the threat, says the hackers took full control of executives’ e-mail, allowing them to mine contact lists and make the rounds of nearly 100 biopharmaceutical and financial services companies. It’s not clear who the hackers are or what they’ve done with the information, but FireEye’s Weedon says the language they use and the data they target suggest that they could be current or former Wall Streeters.
The ever-present threat took an absurd turn this week when Sony Pictures announced that it had suffered a data security breach, ostensibly led by hackers based in and possibly sponsored by North Korea. Tech analysts suggest the incident was in retaliation for the release later this month of The Interview, a movie starring James Franco and Seth Rogen that is critical of Kim Jong Un, the Asian nation’s supreme leader.
A group calling itself Guardians of Peace took responsibility for the attack, which leaked several unreleased films to streaming sites as well as disclosing confidential salary information for top Sony executives and compromising thousands of user names and passwords for Sony Pictures computers and social media accounts.
But analysts have speculated that a Sony insider or insiders sympathetic to North Korea might have facilitated the breach. A person claiming to represent Guardians of Peace told technology website The Verge that the group “worked with . . . staff with similar interests to get in,” and security researchers have found a potential connection with seasoned North Korea hacking group Unit 121.
What may seem like a strange plot for a science fiction movie is more real than many managers understand, say experts, who lament the fact that cybersecurity threats are still often seen as something IT will deal with.
“It’s a governance process and a management process, not solely an IT process,” warns Deborah Prutzman, CEO of New York–based Regulatory Fundamentals Group, which advises funds, advisers and investors on regulatory requirements. “That’s a big misconception.”
“It’s important that senior management actually initiate the dialogue with the IT department,” Prutzman adds. “IT people are often very much aware of the issues but may not feel empowered or are uncertain how to engage with senior management on issues that may require a change in front-office practices.”
This advice may not have stopped recent high-profile attacks on Sony, Home Depot, Target Corp. and a host of Wall Street firms, but it could help companies respond faster and better to such situations. Although most cybersecurity experts echo the phrase “Not if, but when” in discussing the probability of a company being targeted by hackers, there are ways to lower those chances and mitigate possible damage.
Employees with a bad credit score or a past bankruptcy are often seen as risky bets for jobs with the federal government. Gary Miliefsky, an IT security expert and CEO of SnoopWall, a Las Vegas–based service that aims to help individuals determine which mobile device applications are “spying” on them, says red flags like these might also show hiring managers who could be the most easily corruptible when the opportunity to steal information arises.
The potential for an employee to become a malicious insider grows when companies do things like encourage employees to use their own computers and other devices for work, and when job security is an issue, according to Miliefsky. “In down economies, human behavior goes to the dark side,” he says.
The good news is that “there are not a lot of talented malicious insiders,” Miliefsky adds. They usually get caught; the question is how long they were able to operate beforehand. To stay on guard, it may be time for companies to look inward.
