FBI Cyber Division PIN Focuses on Insiders Inflicting Significant Losses to Businesses

Today, the Federal Bureau of Investigation, Cyber Division released Private Industry Notification (PIN) 20190423-001 regarding continued observation of U.S. businesses’ reporting significant losses caused by cyber insider threat actors, including former or disgruntled employees exploiting their enhanced privileges—such as unfettered access to company networks and software, remote login credentials, and administrative permissions—to harm companies.

Kennyhertz Perry works with a number of companies, including small businesses on cyber intrusions. Despite the increase in the number of outsider attacks, generally, there’s more of a threat by insiders, either who have gone rogue or have negligently allowed malicious payloads to enter into the cyber environment. Unfortunately, there’s not much, besides compartmentalization and monitoring you can do if an insider wants to reach data. In the event of a malicious attack, a company should have systems in place to keep operational or at least backups where the company is not affected or very slightly affected. In the event of a total disruption of the business, it is too late to mitigate, and you will likely see dramatic costs to the business.

The FBI also provides some practical defenses:

  • Ensure employee access to all company network systems and databases is revoked when employees leave the company. Coordinate employee terminations with the Human Resources and IT departments (including the Help Desk).
  • Maintain an audit of administrative accounts before and after a major hiring or contracting event, and following the departure of key IT personnel.
  • Monitor unusual employee network activity, especially in the weeks leading up to an employee’s leaving the company.
  • Monitor suspicious physical security habits of employees, especially the abnormal use of personal devices such as concealing devices in the workspace or using personal devices to photograph sensitive information.
  • Change passwords to shared administrator network or remote login credentials regularly. Ensure passwords are changed when an employee with administrative access leaves the company.
  • Maintain a robust and tiered backup strategy for computer networks and servers.
  • Monitor data uploads to all media, email, or cloud storage outside of the company network.
  • Regularly monitor online postings for proprietary products.
  • Establish alerts for unusual activities on administrative accounts, and after all network-level access changes.
  • Regularly review remote login sessions and unusual activity conducted outside of normal working hours.
  • Establish and raise awareness of a reporting mechanism for violations of ethics, brand, or intellectual property rights.

In the event of a malicious attack, a company should have systems in place to keep operational or at least backups where the company is not affected or very slightly affected. In the event of a total disruption of the business, it is too late to mitigate, and you will likely see dramatic costs to the business. Being proactive rather than reactive is the key.

The alert was released as TLP: White and the details, including useful information for protection from doxing, can be shared without restriction. For this report or on ways to monitor and respond to cybercrime, please contact [email protected], or online at Kennyhertz Perry, LLC and its Privacy, Cybersecurity, and Breach Management practice group.

About Kennyhertz Perry, LLC

Kennyhertz Perry, LLC is a business and litigation law firm representing clients in highly regulated industries. The firm was founded by two veteran Kansas City attorneys, John Kennyhertz and Braden Perry. To learn more about the firm, visit kennyhertzperry.com.

*The choice of a lawyer is an important decision and should not be based solely upon advertisements.