The biggest cyberthreat to companies could come from the inside

A recent attack against Morgan Stanley that exposed hundreds of thousands of customer accounts was an inside job, a threat experts say is nearly impossible to stop.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

The Morgan Stanley Building in Times Square, New York City. The financial services firm revealed on Monday an employee had stolen data from more than 350,000 accounts. Getty Images

Companies spend billions of dollars each year to protect from determined hackers attacking from across the Internet, but experts warn they shouldn't ignore a closer threat they aren't even ready for: Inside jobs.

Morgan Stanley, one of the world's largest financial services firms, revealed Monday its customer information was breached. But it wasn't the result of determined hackers or sophisticated email attacks. Instead, Morgan Stanley said it was an employee who stole data from more than 350,000 customer accounts.

The move is a wake-up call to companies, which spent an estimated $71.1 billion in 2014 on cybersecurity, up nearly 8 percent from the year before. And while hackers have successfully attacked large companies like JPMorgan, Target and Home Depot, experts warn employees pose just as much a threat, whether they act intentionally or by accident.

While the cybersecurity industry is devising an ever growing list of technology to protect from intrusions, it turns out there's relatively little that can be done to stop an insider who already has access to a company's otherwise highly protected data.

"There's always going to be a way, just like with hacking, for insider attacks to happen," said Lucas Zaichkowsky, who used to manage computers at a major credit card processor and is now a security expert at Resolution1.

Attacks by insiders are often characterized in three ways: They're hard to detect and don't happen often. But when an attack does come from the inside, it can be devastating. Security researchers at the Ponemon Institute say 88 percent of IT pros surveyed say they struggle to identify insider attacks, and security consultants at SpectorSoft say less than half of companies are even capable of noticing.

Few companies publicly disclose these types of attacks, and when they do they rarely estimate the damage. SpectorSoft said insider attacks -- 35 percent of all those committed -- cost US companies $40 billion in 2013 alone.

Few ways to protect

Despite the challenges in detecting and blocking insider attacks, there are ways that can help companies reduce the risk of insider attacks.

First, experts recommend companies tighten restrictions on highly sensitive data, locking files behind passcodes and security systems only employees and trusted business partners who must have access actually do. One way to do that is with cryptographic computer code, which jumbles a file's contents using an algorithm that only those with the proper computer keys have.

If the information does have to be accessible on the company network, "try to come up with a data policy that segregates it," said Andrew Conway, a site and data breach expert for security company Cloudmark.

Companies also need to monitor the actions of the employees who do have access, to ensure the data isn't copied or destroyed without approval. Many attacks have been spotted by warning systems, but the alarms went unnoticed.

Other long-standing techniques include preventing files from being copied to USB by physically blocking USB ports with liquid cement, and removing cameras from the screens of laptop and desktop computers. Some companies even use "air-gapped" computers -- machines which are neither connected to the Internet nor to other computers.

The US government has gone to some lengths to ensure certain kinds of data are better protected than others. Nuclear facilities, for example, have used air-gapped computers for years. There are also laws governing how medical data is stored and accessed, requiring companies to keep extensive logs every time the files are read.

Another option for companies is to bring on a chief security officer, someone who understands and knows how to balance security with a company's day-to-day business, and sets rules for how files are stored and accessed. Ponemon backed up this assertion in a 2013 study which found the cost per record exposed in a breach goes down when a company has hired such a person.

Even if companies implement all those measures, experts say they can't entirely secure their systems from a determined insider.

Consider famous information leakers like Edward Snowden and Chelsea Manning, each of whom accessed and leaked thousands of classified government documents. In both cases, they were able to circumvent some of the US government's most secure computer systems by virtue of being on the inside.

"If the NSA can't prevent an insider breach, then how is an enterprise company going to stop one?" Conway said.