Stay in Touch
Sign up to our newsletter to stay informed about PCI compliance news, and updates regarding new PCI Booking features.
by PCI Booking – January 9, 2020
Back in 2014, the British supermarket chain, Morrisons, experienced a cyber-attack where over 100,000 employee’s data records were exposed. The data included personal and financial details, including salary. The perpetrator was an internal auditor, in other words, it was an insider job.
Insider threats are common. The 2019 Capital One breach involved the exposure of 106 million customer data and financial details. This time, the insider was an ex-Amazon employee who understood how to exploit vulnerabilities in the bank’s AWS (cloud) infrastructure.
The type of threat that insiders pose is a complicated one. But there is a good solution in the form of tokenization of data.
Insider threats are a major problem. According to a Computer Associates survey, 53% of organizations were affected by an insider threat in the previous 12 months.
“The enemy within” – aka, careless end users – who regularly click on bad links, placing organizations at higher risk of falling victim to email phishing, have long been identified as the biggest and most persistent security threat.
Haystax, in their 2019 report into insider threats, found that 70% of organizations have experienced more frequent attacks than the previous year, with insiders as the key source.
As is the case with all data breaches, insider threats have significant costs associated with them. The Ponemon/IBM report “The Cost of a Data Breach 2019”, shows the following costs as a comparison – the average costs shown in brackets:
The question remains: who causes the data leaks and massive exposures we’ve seen in recent years? What type of person can be viewed as an insider threat?
The Rogue Element (Malicious)
Malicious insiders come in many forms. Gartner, Inc, put 62% of insider threats down to “persistent offenders”, often using company data to create a second income by selling it on the darknet. Malicious insiders use their internal know-how and access to company resources to commit data theft.
The Oopsadaisy (Accidental)
Accidents happen. Laptops are lost, passwords are left for the world to see on Post It notes, sensitive documents are left on open printers, emails containing sensitive data are sent to the wrong person, and so on. And then there are systems that have access made available for consultants and other non-permanent staff; staff that may not know what your company security policies are and how you expect your data to be protected. They also may not be aware of simple security policies such as no sharing of passwords.
Evil twins (Collusion)
Collusion is something that is often seen in industrial espionage. An external element contacts an employee to help them gain access to sensitive data, including financial data. There have been reports of ads being run on the darknet recruiting bank employees, offering salaries to illegally access bank accounts and carry out bank transfers.
Rare but painful (Leaver/joiner)
It seems from research carried out at The Hague Delta that leavers and joiners pose an insider threat. The report found 89% of those who have left an organization continue to have access to sensitive data, putting that data at heightened risk of exposure.
An outsider in (Vendors)
And finally, don’t forget that insiders extend to your vendor ecosystem. Cybercriminals will often target suppliers to get at the larger customer at the top of a supply chain.
The problem of insider threats can be a difficult one to solve. Afterall, we are often talking about trusted employees when we consider insider threats. These may be staff who already have significant privileged access to sensitive and financial data.
How can you control what they do when no one is looking? The fact is, insider threat prevention is one of the most difficult cybersecurity areas to manage. You can put certain systems in place, such as behavioral analysis to spot unusual trends and patterns or use Data Leak Prevention (DLP) tools. You can also use security awareness training to help reduce the likelihood of accidental insider threats. All of these security tools are important. But another security tool, which offers a highly effective way to prevent sensitive data from being exposed, is one which makes that data unavailable. This tool does so by using a process known as “tokenization”.
Tokenization is not encryption. Where encryption can be reversed under certain conditions, tokenization is irreversible. Tokenization takes sensitive data, which can potentially be any type of data, and replaces it with a software token made up with a series of unique symbols. This token contains the necessary information to still use that data but prevents it from being compromised. In other words, the personal and financial data that an insider could potentially expose is simply not available; thus, preventing both malicious and accidental insider threats.
With PCI Booking’s tokenization services, your system never holds financial or personal sensitive data. When using the credit card tokenization or data tokenization services, you keep a token representing the data while the sensitive information is stored securely in the PCI Booking vault. So, if the worst happens and your organization is breached or a staff member permits access to your system (accidentally or not), there is no access to sensitive data as it is simply not there.