When Edward Snowden stole information from the National Security Agency, it came as a wake-up call to those whose business relies on the collection, storage and use of data

When Edward Snowden stole information from the National Security Agency, it came as a wake-up call to those whose business relies on the collection, storage and use of data, be that customer, payment or staff information. That’s a lot of companies nowadays. It was a matter of time before an insider attack hit household names in the UK, though that is of little comfort to Morrisons, which has seen data from its staff payroll system stolen and posted over the internet this week.

While the Target attack was shocking given its sheer scale, the financial motivation of cyber criminals is easy to understand. Insider attacks are different because they come down to an individual’s personal motivations – upset or unstable, disgruntled or envious, attention-seeking or ideological. A plethora of human traits comes into play and can provoke people into radical action, especially when the barriers to entry are low.

Barriers are integral to the way information systems are structured, but our increasing reliance on the internet has slowly eroded these barriers, in favour of interconnection, speed and collaboration. Retailers need to be connected to a global supply chain to do business and stay competitive. The attack on U.S. giant Target earlier in the year showed us that the supply chain can be the weak link that leaves you vulnerable, no matter how good your internal security is.

Traditional security software struggles to keep up with constantly evolving threats because it first needs to identify a threat, and classify it, before it is able to protect against that same threat type in the future. Such software is therefore embroiled in an eternal game of catch-up. 

It would appear that the Morrison incident originated from within, from someone abusing a position of trust. The motivation was seemingly to wreak damage on the companies reputation.  Why? We may never know – but that’s not the point. The fact is that a trusted individual(s) had legitimate access to company data and has chosen to use this as a weapon against the company.

In this day and age, it is impossible to second guess every threat, be that a threat that comes from outside or inside your enterprise. However, a focus on behaviours within the network can allow retailers to better defend themselves. A person wishing to use your data against you needs to act, and does so in an abnormal way compared with the normal activity of the network, the user and the machine.

Thanks to recent advances in mathematics, next-generation technology can model normal behaviour within internal systems and detect evolving threats in real time, before the attack has been completed.

Retailers urgently need to shift from a default position of damage control to a proactive approach to cyber security. Like Morrisons, we all have unknown adversaries who are inside our systems and able to act do us damage – all they need is a reason.

  • Andrew France is chief executive of security firm Darktrace