Employees have access to servers and they know where data is kept. If they leak company information, their employer may not realise it for a long time. It can take months, or even years, for a company to discover it has been the victim of insider misuse.
As part of its 2016 Data Breach Report, Verizon analysed more than 100,000 security incidents from countries around the world. Of these, there were more than 10,000 insider incidents, including 172 with confirmed data disclosure.
According to Verizon, the industries most vulnerable to insider abuse include healthcare, finance and the public sector. Organisations in these sectors have a goldmine of valuable personal data – such as banking information and Social Security numbers – that make them attractive targets.
Yet these are not the only industries that need to be wary of bad apples in their ranks. Companies like AT&T, Target and Home Depot have all been victims of insider misuse.
When picturing insider misuse, the image that comes to mind is generally a disgruntled and irrational employee, fed up with management, who suddenly cracks and releases important company information to the public.
While this does happen, it’s only a piece of the whole picture.
Insider misuse comes in two forms: negligent and malicious. Negligent insider misuse occurs when an employee does something inadvertently that puts the company’s security at risk.
Data mishandling is a common example – this often involves emailing sensitive information or saving it on a shared device, usually done for convenience’s sake rather than any malicious intent.
Negligent insider misuse is quite dangerous because it is, by nature, an accident – meaning it’s very difficult to predict and can potentially stem from any employee.
Malicious insider misuse reflects the picture of the disgruntled employee described above. This occurs when an employee (whether current or former) purposely sells, shares or leaks company information.
This actually happens much more often than negligent insider misuse. In its examination of 230 misuse incidents in 2015, Verizon found that more than 60% were malicious privilege abuse – in which employees used their access to obtain information for unauthorised uses. The second most common type of misuse (data mishandling) accounted for only 13% of incidents.
Numbers aside, a negligent employee accidentally leaving a laptop on an airplane is just as damaging as a malicious employee lashing out by selling company data, because the end result can be the same: a serious breach, and private data for sale on the black market.
Online black markets create strong incentives for people to sell stolen information, and the pull is too much for some employees to resist. Financial gain is an extremely strong motivator of insider misuse, though it appears to be slowly losing ground to motives in cyber-espionage.
Verizon reported that in 2009, financial gain motivated more than 75% of insider misuse, while espionage was hardly ever a motive. In 2015, financial gain was the motive behind only 34% of insider misuse, and espionage rose to be behind 25% of misuse incidents.
If these trends continue, it’s possible that espionage could even become the number one motivator of insider misuse.
Corporate espionage targets trade secrets and intellectual property. Information spies may apply at your company, intending to steal trade secrets for a competitor or foreign state once hired. Others may make the decision to engage in corporate espionage after working for your company for years. Either way, it’s important to ensure your secrets aren’t walking out the door with your employees when they leave for the day.
Who are the risky employees?
Who are these “insiders” that you should keep an eye on? While you may think the most likely threats come from employees with high access to sensitive data, the numbers show otherwise.
One-third of the sources of insider misuse were regular end users with access to sensitive data as part of their jobs, while only 14% were system administrators or developers with elevated access to data.
Insiders aren’t often sitting in the C-suite, either – only 14% of insiders were executives or managers. More insider misuse offenders have a modest salary, making the quick financial gain all the more appealing.
Almost 80% of insider misuse breaches are the sole work of someone inside a company – that’s a staggering number of threats coming from within company ranks. Interestingly, 11% of breaches come from external actors – and the majority of these external actors were former employees whose remote access hadn’t been revoked. (Though, in 2015 there were some cases where non-employee external actors had solicited customers for information, in order to commit fraud.) Another 8% of breaches are examples of collusion between someone within the company and an external actor.
Unless companies have appropriate systems in place to track and flag employee access to sensitive data, it will be difficult to find the offenders. Insiders don’t necessarily show unusual behavior.
This is part of the reason it’s so difficult to uncover insider misuse – in 2015, half of incidents took months to detect. More than 20% took years before they were discovered.
Neutralising the threat within
No company wants to be in a situation where it takes years before realising an employee has been selling corporate data. Take these precautions to prevent insider misuse before it happens – and to identify it quickly if it does.
1. Monitor, monitor, monitor
Because insiders don’t always show suspicious behavior, it’s extremely important to monitor the authorised daily activity of all staff. This doesn’t mean organisations should treat every employee as a potential enemy – after all, most employees are well-meaning. Set up a system to consistently track activity, especially for employees who access financial, medical or personally-indefinable information on a regular basis.
2. Lock USBs and portable drives
If you discover an employee has transferred data to a USB drive, after the person has left the company, you’re too late. Take measures to identify use of USBs, and other portable drives, so you can stop a USB from walking out the door with your data.
3. Limit access
Employees can’t leak what they can’t access. Give employees only the access they need to the data they need for their jobs – nothing more. Make sure you understand who has access and why. Revoke remote access as soon as employees become former employees.
Sourced from Eric Basu, founder and CEO, Sentek Global