Companies trying to stave off business disruption caused by the global Covid-19 pandemic may be ripe for compromise as they introduce new risks in the scramble to maintain business continuity, warned a retired senior CIA executive in a keynote presentation Wednesday at the InfoSec World 2020 digital conference.
In essence, the coronavirus has created ideal “crisis” conditions within organizations that attackers can take advantage of to conduct reconnaissance or data exfiltration operations while going unnoticed.
“In my own experience, the best time to spy is when there’s a crisis in the target, when there’s a crisis ongoing, because people tend to cut corners,” said Mark Kelton, director of MEK & Associates and former chief of the CIA’s Counterintelligence Center – one of multiple roles he held during his 34 years of experience in intelligence operations. “They tend to modify procedures. The procedures they put in place to protect information, to protect facilities and the like, tend to fray because people have to go forward and conduct business. The pace of business dictates compromise.”
Kelton said that in many cases where an employee compromises organization security, the act is not committed with criminal intent. Rather, “What you find are people who will say, ‘Well, I had to do it in order to get the job done. I had to modify this data-handling produces in order to get the job done. I had to give this person access in order to get the job done,’” explained Kelton in his session, “Real World Intelligence and Global Cybersecurity Threats.”
“And when you do that, you create vulnerabilities – and when people are away from the normal workspace, those vulnerabilities multiply,” he noted.
Indeed, the shift to a largely remote workforce in light of Covid-19, has created additional risk, added Kelton, noting that “dispersal of information and control of information to employees beyond a platform that is within an established physical company heightens risk.
“In most cases… where people want to steal something, commit espionage, certainly they don’t want to do it where fellow employees are around and can see them, and this is certainly true also for companies,” said Kelton. “So people will steal information or compromise information after hours, on weekends… or when working from home. So this is something that presents a large challenge for companies.”
Kelton said state-sponsored intelligence agencies are always on the lookout to exploit these kinds of security gaps created by crisis situations. This is true both in the cyber world but also when looking to compromise as well, he noted.
“You’re always looking for someone or a group of people that are in crisis – and in my experience, when I was actually running spies and targeting adversaries, if you, the adversary, was in crisis, that was a good time to hunt,” said Kelton. So if you flip that around, it works for the adversaries working against the United States today.”
While Covid-19 presents a ongoing global crisis that all businesses must contend with, employees can also face their own personal crises that can ultimately turn them into a malicious insider threat.
Kelton said to be on the lookout for certain employee red flags that suggest that a worker is heading for a crisis, including confrontational behavior in the office, misuse of data or financial difficulties. An insider threat program can help sniff out these troubled employees by looking for key threat indicators, he said.
“The most logical place is to establish a [behavioral] baseline to understand how your employees use data, what is the normal pattern for them accessing data, and then you look for anomalous behavior, people that are trying to access data that is outside the normal realm for… someone in their position to use,” said Kelton.
Kelton also encouraged companies to use collaborate with HR, legal and other relevant business units to gather additional employee information that collectively provides an even more detailed picture of individual workers (while hopefully ensuring that any sensitive employee info is managed responsibly). This allows employers to “get in front of employees who are in crisis early on” and assist them before they become a threat.
Beyond establishing an insider threat program, Kelton said organizations must implement a multi-layered cyber defense and invest in employee training in order to combat ever-evolving state actors from starting the next big crisis in the form of a damaging attack.