Defending business intelligence

Cyber-security expert Keith Lowry, talks to Domini Stuart about the significance of helping corporations and government agencies implement and manage the risk of internal security breaches

Keith Lowry has a unique perspective of the cyber threats lurking inside every organisation. He led the Edward Snowden counter-intelligence damage assessment team and was closely involved with the US Army investigation into Chelsea (formerly known as Bradley) Manning, who disclosed nearly three-quarters of a million sensitive and diplomatic documents to WikiLeaks.

Now, as senior vice president, business threat intelligence and analysis with Nuix, an Australian technology and data investigation company, Lowry is helping corporations and government agencies to manage the risk of internal security breaches.

“Harm caused by data breaches, theft of intellectual property and loss of financial information and other critical-value data is widespread and devastating,” he says.

“According to the Australian Crime Commission, cyber-crime is costing Australian organisations and individuals around $1 billion a year. Last year alone it cost a typical major Australian enterprise $4.3 million, and that’s not taking into account damage to reputation and loss of value,” he says.

Statistics suggest that about a third of these breaches originate within the organisation, though Lowry suspects the real figure is much higher. “Many organisations don’t realise that an insider breach has occurred, or they may be reluctant to report these incidents,” he says.

Some insiders use their position to advance a personal, political or national agenda. Others are motivated by money – they steal or leak data such as credit card numbers and identifiable personal information which can be used to commit fraud or be sold on the black market.

“Recently, the US Federal Communications Commission fined telco AT&T US$25 million after call centre employees stole and resold the names and social security numbers of approximately 300,000 customers,” says Lowry. “Investment bank Morgan Stanley fired one of its financial advisers after accusing him of stealing the account data of 350,000 clients and posting some of that online for sale.”

There are also criminals who join organisations in order to access valuable intellectual property. “In May this year, the US Justice Department filed charges against six Chinese nationals who had taken jobs at microelectronics companies with the specific intention of stealing trade secrets,” Lowry adds.

Inadequate defences

However, not all breaches are malicious. The recent data losses suffered by the Australian Department of Immigration and Border Protection were thought to be the result of inadvertent leaks. But, deliberate or accidental, the outcome is the same.

“Insiders can cause more damage than external hackers, but many organisations continue to focus their resources on perimeter defences, incident response and security operation centres that are mostly defensive in nature,” says Lowry.

“These typically alert and respond after an event has occurred, but measures put in place after a breach will most likely be too late to prevent the loss of information.

“And, as perimeter defences are designed to keep outsiders from getting into an organisation’s systems, they are almost powerless against lawbreakers who are already inside the network, often with legitimate credentials and access to critical-value data.”

Head in the sand

Lowry believes that many organisations are avoiding the issue because they don’t know where to start. “It’s true that detecting and deterring insider threats can be a massive challenge,” says Lowry. “But the most important thing to remember is that, while information technology is virtually boundless, human interaction with technology is limited. There are only so many ways to access, gather and exfiltrate critical-value data from a system or network and focusing your efforts on these points will be much more effective than taking a scattergun approach.”

The first step is to identify where critical-value data is located, who has access to it and by what means. The second is to use intelligence and analysis to identify anyone posing a threat within the systems and networks. The third is to have accurate and up-to-date cyber-security and IT policies, training and forensic tools in place.

“When all of these elements are working together, an organisation is well placed to address insider threats before they become messy and costly public problems,” he says.

Starting at the top

Lowry say that an effective cyber-security policy must include everyone in the organisation. “Some people see security measures as a roadblock to collaboration and innovation or a hindrance to their everyday work,” he says. “But, if you’re a manager who thinks it’s OK to skirt around security, you’re making it easy for other people to do the same. That makes you part of the problem.”

It is also common for employees to stand by as their colleagues behave suspiciously.  “People can find it hard to speak out,” Lowry continues. “Communication and training will ensure that people understand what the rules are and how they are expected to behave.”

As with any other protocol, internal security must start at the top with leadership, advocacy and guidance from the board and senior management.

“Board members don’t need specific knowledge of the nature of cyber threats or the way the threats might materialise,” says Lowry. “What they do need is the vision to understand what they’re facing and a commitment to hiring people who can help them accomplish the task. The board must also lead the way in making sure that a culture of security is embedded throughout the organisation.”

Lowry sees a high level of awareness at senior government level in Australia. Attorney-general senator George Brandis has warned of the insidious threats posted by trusted insiders.

There have been changes to the Australian Government personnel security policy and Managing the insider threat to your business: A personnel security handbook was written to help organisations address and mitigate risk. However, while disclosure of a data breach is mandatory in the US, in Australia it is still under consideration.

“We have found it helpful because it is another way of making people within an organisation more cognisant of the environment and their responsibilities,” says Lowry. “But, whether or not disclosure is mandatory, I think that anyone charged with governing an organisation would want to be very sure that best practice is in place.”