System administrator Brian Johnson was sentenced to 34 months in prison on 16 February 2017 and was told to pay more than $1 million in fines, two years after his arrest following the cyber-attack. Having been fired from his job he remotely accessed the plant’s computer system and transmitted code and commands, which led to Georgia-Pacific losing massive sums of money.
While Johnson’s case has received wide publicity because of the lengthy prison sentence, plenty of former employees seem to log into company systems after their employment has ceased – and many with malicious intent, according to last year's research by cybersecurity provider Kaspersky Lab.
More than a quarter of all cyber-attacks and a third of targeted attacks involved malicious activity by insiders, according to the research - and vulnerabilities could exist on hardware, software, and even human level, so attacks can come from any direction.
Up to 79% of corporate executives admitted to—intentionally or unintentionally—engaging in behaviour that put corporate data at significant risk of security breach, suggests a report by cybersecurity company Symantec. While many organisations are aware of the risk of cyber-attacks coming from the outside, many forget the potential danger from within.
The main problem is organisations being “shockingly poor at changing passwords and revoking access rights when a member of staff leaves the company,” says Graham Cluley, independent computer security analyst. Also, many firms allow employees to use personal devices when working remotely, don’t give them the correct tools to do so safely – and don’t do much when someone leaves the company.
One solution is to employ a security expert or to use a good HR monitoring system, to spot any malicious approach before there is too much damage, says Sian John, chief strategist at Symantec.
While most insider threats are non-malicious and happen accidentally, “the malicious insider is very determined to get what they want,” says John. “If they're trying to get their hands on something, it's quite hard for organisations to detect, especially early on.”
For instance, company data can be accidentally uploaded to cloud applications like DropBox or personal email accounts, which employees access on work devices without the organisation’s knowledge, something referred to as “shadow IT”, says John. Symantec’s research found that 51% of corporate executives emailed company documents from a personal email address.
And while forwarding your CV would be fine, says John, “anything from credit card data, employee data, intellectual property or mergers and acquisitions will be flagged and blocked, helping to prevent large-scale breaches.”
To avoid network breaches, companies must educate staff about responsible cybersecurity behaviour and the dangers to look out for, and introduce robust policies about the use of business email addresses, says David Emm, principal security researcher at Kaspersky Lab.
"Businesses need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation,” he adds. “Insider motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. The impact of such attacks can be devastating as they provide a direct route to the most valuable information.”
Companies could also benefit from threat intelligence services to understand why cybercriminals might be looking at the company and to find out if someone is offering an insider service in the organisation.
For his part, Cluley recommends that organisations regularly review the audit log of administrator accounts to prevent malicious insiders, making sure they revoke passwords and collect all company-issued devices from an ex-employee before they leave the building.
Johnson’s case could serve as a stern warning to those who attempt to breach cybersecurity systems, says Cluley, but he remains sceptical that it will ward off ill-wishers. “Although I'd like to imagine that others would be warned off similarly dumb behaviour, I fear that the people who typically engage in hacking their former employers aren't necessarily being rational,” he says. “They're upset, they may feel that they've been aggrieved, and the red mist clouds their common sense.”
As a response to the Georgia-Pacific incident, the US Attorney’s Office in Louisiana launched a cyber security initiative in early 2016. The initiative assembles agents and other personnel from across Louisiana to assess and share information about incoming reports of cyber-incidents affecting the area, and evaluate law enforcement’s response. The initiative also aims for collaboration between private industry and law enforcement and encouraging immediate reporting of cyber-incidents.