The world's biggest risks

Enemy within: The danger of 'insider hacking'

By Hamza Ali, special to
Zmeel | Getty Images

Everyone knows the danger hackers pose to networks, but most people don't consider themselves to be the actual hacking risk.

Security industry experts are warning that "insider hacking"-- whereby an organization's IT system is breached from the inside -- is an underreported, pernicious and difficult-to-detect cyber-security threat.

Insider hacking habitually hits the headlines with cases such as Edward Snowden and the Target system breach. However the cause of insider-hacking might be slightly more innocent.

McAfee CTO: Target attack was defendable
McAfee CTO: Target attack was defendable

"A lot of the threat of insider hacking today is just carelessness," says Larry Bridwell, global security strategist at Sticky Password. "In-users working at home or working at the office many times don't have the awareness of what the problems are."

This is largely due to unclear data security policies or a lack of understanding by the users, according to Bridwell.

"Data security policies are written in such manner that the average employees have a hard time understanding them, where there is too much legalese or too much technology issues involved or the policy is not explained enough to the employees to make them aware of the dangers of not following those policies," says Bridwell.

Read MoreForget passwords:This is the future of logging in

Last year, U.K.-based cyber-security firm Clearswift ran an online poll of 300 IT decision-makers, which found that 83 per cent had experienced a data security incident in the past year, with 58 per cent of believing that in their breach an insider was the culprit.

Passwords the problem

Regardless of whether or not it's done with malicious intent, insider hacking is difficult to detect as the user is often allowed to access to the network legitimately.

The future of passwords
The future of passwords

"Traditional means are quite inadequate to prevent insider hacking," says Jonathan Klein, president of MicroStrategy. "Most networks rely on user names and passwords. Since user names and passwords are in many respects owner-anonymous, you can't ascertain who is using them, whether they've been hacked, stolen, phished, or compromised."

The problem is even more basic with corporations says Bidwell, with a lot of organizations not being fully aware of what it is they need to protect.

Companies need to do three things to understand their insider hacking risk. They "need to know what their assets are, where they are and who has access to them." Says Bridwell.

Read MoreCelebrity NudePhoto Hacking: Should You Be Worried?

"Many of these organizations don't even know what they have that other people might want. They don't know the value of it or they haven't taken the time to know the value of what they have, so they don't know the risks are and how to protect against them."

While not advocate of "big-brother style" surveillance, Bridwell points out that once a company ascertains it is in risk of an insider breach, it is in its interest to monitor these areas that pose the biggest risks.

"There is a certain level of corporate liability in making sure that corporate assets, such as laptops, phones, pads and other technology are monitored in ways that can tell if certain subtle patterns are being broken so as to alert manager to a future threat." Says Bridwell.


This story has been updated to reflect the full name and title of MicroStrategy's Jonathan Klein.

By Hamza Ali, special to, follow him at @ Hamza_M_Ali