Espionage, The Insider Threat, and why BYOD is Such a Huge Problem

It is increasingly accepted that insiders represent the greatest risk to organisations’ security particularly when considered as an element of a converged threat to intellectual or digital assets. This poses some of the greatest challenges to the management of security and staff, and the deployment of technology, or the development of procedures for any management team.

The challenging aspects of the insider threat are the anticipation of both intent and method. Industry is increasingly aware of disgruntled employees as a source of threat, though still struggling with the personnel management implications of monitoring and managing staff in this context. More challenging is the passive human vector, where staff are either lazy or careless in their adherence to security protocols and individual application of sensible security practices, which lead to potentially significant or even catastrophic implications for the organisation.

The more recent vulnerability,  as adversary intentions have become more malicious, and techniques more sophisticated has developed aggressively towards more targeted subversion and coercion of key staff, and through social engineering it has become more straightforward to identify those targets and the relevant intel required to accelerate the process. Tackling this at organisational level requires specialist support as few security managers will have had sufficient exposure to this nature of the threat to be able to craft a response. Optimal Risk can provide that specialist support.

The challenge for organisations has now become more complex by staff unknowingly or unwittingly being engineered to enable certain types of attack. It is nearly impossible for companies to enforce or expect strict or sensible adherence to personal or corporate security procedures outside the workplace in generic terms, and this includes from the gym, at the golf course, in the bar after work, on your journey home, and if you are a key employee with access to privileged information: even while at home, in the supermarket, or pitch-side watching the kids play football. This is specifically in the case of espionage or an other similar objective where adversaries are prepared to invest considerable funds and time in order to penetrate an organisation.  The usual symptoms of an insider threat, based on attitudes & behaviour, will invariably be lacking if the employee has been unwittingly ‘engineered’ and this gives very little for corporate security & intelligence functions to pick up on, because the only aspect that is evidential is the apparently ‘normal’ activity.

This sets the challenge for the physical security and management aspects of any large corporation. However the critical new element is the BYOD threat. Bringing Your Own [mobile] Device is now the major threat to firms that allow employees to use company WiFi in the workplace. Consider the scenario whereby the majority of employees frequent the same coffee shop around the corner, with their device automatically logging in to their free WiFi. A sophisticated attacker may upload malware to a large number of employees and may do so by installing their own WiFi. The malware will sync with the company network when the employees return to the office, and from there unleash a multitude of actions.

However the problem is not isolated to WiFi. Recent research highlights that a large body of new malware is designed to exploit mobile devices, and this does not exclude Apple products or Blackberry. The systematic absence of anti-spyware and anti-malware on mobile devices now allows an infected mobile device into the workplace and upload malware into the corporate network through email, or other means, and exposes the system to threats from a new vector. Many employees are using mobile chat applications, and document sharing applications as they are increasingly away from their desk, and these have been proven to be specifically vulnerable routes to information interception. These add to the catalogue of threats that allow adversaries to track target location, record conversations, and images through the mobile device.

This challenges the security function to anticipate the threat from a new channel, and it is typically the failure to anticipate threats that allows them to manifest. Simulating the threat from mobile devices is challenging, but it can and should be prioritised in the testing/exercise regime of organisations. In preventative terms, companies should be tightening up their policy on BYOD, and employing specialists to set up and review mobile devices that are used in the organisation in terms of both hardware and software. For more information about how Optimal Risk can support companies with this challenge download our flyer from
Posted: 12 July 2013 by Optimal Risk Admin | with 0 comments
Filed under: BYOD, coercion, cyber, device, e-espionage, espionage, insider, mobile, security, subversion, threat