Directive Blogs
Employees Can Be Your Business’ Best (or Worst) Defense Policy
Many businesses believe that if they only had the right security tool, they would be secure from cyberattacks. What they don’t realize is that even the best IT security software and hardware can immediately fall apart if your staff isn’t trained to understand certain security risks. Take a moment to discover how to turn your team into a valuable security resource, and prevent them from being a security liability.
Tesla’s Near-Incident
In late August, a Russian national was arrested and charged with conspiracy to intentionally cause damage to a protected computer for attempting to recruit an employee of Tesla to install malware on the network of the Nevada company's Gigafactory, as confirmed by owner Elon Musk via Twitter.
According to court documents, in mid-July, this hacker—27-year-old Egor Igorevich Kriuchkov—established contact with a Tesla employee he had briefly met in 2016. Using the popular messaging application WhatsApp, Kriuchkov set up an in-person meeting with the unnamed employee. By August 3, Kriuchkov tried to recruit this employee to help him steal data from Tesla and extort money in exchange for keeping this data private.
The attack would work like this: by simulating a Distributed Denial of Service (DDoS) attack, the group that Kriuchkov was working with could then steal Tesla's data unnoticed. The group would then reach out and demand that Tesla pay them money to keep this data private. DDoS attacks are essentially where a cybercriminal uses hundreds or thousands of hijacked computers to constantly attack a single target in order to overwhelm it until the target is no longer online. It’s an effective way to interrupt services, take down websites, and exhaust computing resources.
One thing to note was that it was to be a simulation; there wouldn't be an actual attack, because it most likely wouldn't get past Tesla's security protocols. Instead, they used social engineering to manipulate the employee, going as far as offering the employee $1 million to plant malware on Tesla systems.
Kriuchkov tried to cover his tracks, including avoiding being surveilled by the FBI; however, he didn't count on the employee's loyalty to Tesla and the desire to do the right thing. The employee went so far as to make recordings of his meetings with Kriuchkov. Ultimately, enough evidence was collected to arrest Kriuchkov, and he could now face up to five years in prison.
Social engineering is effective because it takes advantage of a person, playing off a natural instinct to help or to hide mistakes they have made. Sometimes, these attacks rely on simple human error. Cybercriminals will try to take advantage of this behavior to entice your team to provide them access to your systems. However, for a social engineering attack to be successful, your team must be unaware of what is happening or be complicit.These types of attacks have been increasingly common, because they tend to have a fairly high success rate for the cybercriminal.
In Kriuchkov's case, he was hoping he would be able to convert Tesla's employee to go along with his plan but miscalculated, and it was because of the employee's efforts that Tesla was able to dodge a significant bullet here.
Tesla Wasn’t the First Enterprise to Have Experienced a Social Engineered Inside Job
While Tesla was able to sidestep this threat due to their employee's diligence and honesty, many companies have not been nearly so lucky. According to the Ponemon Institute, insider threats (such as the one that Kriuchkov and his co-conspirators were encouraging) have risen in frequency by 47 percent over the past two years, with the average incident increasing in cost by 31 percent.
Part of the reason why insider and social engineering threats are on the rise is that security technology and regulations have made it more difficult for hackers to overcome. Security protocols have reached the level that makes it more difficult for hackers to brute force their way into your network. This causes them to rely on more subtle methods to gain access to your system, such as co-opting an employee to help them.
A recent example would be the Twitter social media hack. An employee was compromised and the Twitter accounts of several high-profile people, including Joe Biden, Barack Obama, Kanye West, Bill Gates, Jeff Bezos, and Elon Musk were compromised. Unfortunately, Twitter wasn't as lucky as Tesla, and their employee assisted the hackers in the attack.
The best tactic for minimizing these incidents in your own business is straightforward; you need to train your team. Moreover, you need to develop the type of culture that ensures your employees feel they are part of your team and are prepared to help protect your business.
How to Minimize Insider Threats
The name of the game will be education because, despite your best efforts, your team will always be your weakest security link. Not only will you need to make sure your employees are motivated to protect your business; they will need the expertise to do so. For starters, we recommend that you do a few things:
- Involve security in your company culture. Whatever impact cybercrime has on your business, it will also have on your employees by association. By making this clear and giving everyone ownership of the company’s cybersecurity, you are unifying your team and putting everyone on the same side.
- Keep your team up to date on trending attacks and acceptable behaviors. Like so many things in the business landscape, cybercrime is always shifting. If you and your team are going to resist attempts of all kinds, everyone’s knowledge will have to be kept current. It also helps establish acceptable use policies to minimize your vulnerabilities, so if you choose to do so, make sure they are appropriately adhered to.
- Train your team to recognize and respond to cyberattacks appropriately. When your team does encounter a cyberattack of any kind, they need to know how they are to proceed. Establishing these procedures and developing plans to deal with these circumstances is an essential step for you to take.
Whether you need assistance in securing your infrastructure with the proper protective solutions, training your team in more secure behaviors, or both, you can turn to Directive for assistance. To learn more about how we can make it more likely that you’ll have an outcome closer to Tesla’s than to so many others’, give us a call at 607.433.2200.