How responsible are employees for data breaches and how do you stop them?

Author: Doug Barney, Writer/Editor for GFI Software

Data breaches have very quickly climbed the information security agenda and that includes the data breach threat posed by employees and IT professionals.

Now a new report says the insider problem is far worse than we had previously imagined. The Verizon Data Breach investigations report claims that 14% of breaches are due to insiders and that’s not counting the further 12% of breaches that come from IT itself.

Examining the motives of employees with malicious intent, the Verizon report identified two main reasons insiders choose to cause so much trouble:

  1. They are looking for financial gain, perhaps via selling confidential data; or
  2. It’s an act of revenge by disgruntled workers or angry ex-employees who still have network privileges.


On the other hand, CompTIA, an association representing the interests of IT resellers and managed service providers, has a far different point of view. It says more than half of all breaches – some 52% – are due to human error or malice, and the rest arise from technology mistakes. Research from the SANS Institute reaches the same conclusion – employee negligence is a huge source of data breaches. Social engineering is one such element, so this once again shows the importance of training employees in basic IT security.

According to CompTIA, technical solutions are not enough. IT vigilance is always necessary as too many organisations don’t even know there is an insider threat. Resigning yourself to the fact that the human error factor is a problem with no solution is neglectful, especially when it accounts for such a high percentage of breaches. Ultimately, employees are the strongest security layer. Of course, it is just as important to make sure all updates and patches are installed, firewalls are turned on and anti-malware is up to date.

Organisations also need to consider adding tools that can spot and stop data leakage amongst other breaches. Email security too is a top measure to take as many breaches and leaks come through or from the employee’s inbox.

What precautions can you take?

But what should an organisation do when users, whose roles require access to sensitive data, misuse that access? What precautions can they take to reduce both the risk of this happening, and the damage that can result from insider activity?

There is no single answer to these questions, and there is no silver bullet that can solve the problem. A layered approach that includes policy, procedure and technical solutions is the right approach to take. GFI Software has identified 10 precautions in particular that organisations should consider.

1.Background checks

Background checks should be carried out on every employee joining the organisation, even more so if those employees will have access to privileged data. While not foolproof (Edward Snowden had security clearance) they can help to identify potential employees who may have a criminal record or had financial problems in the past. They may also uncover some details of their employment history that bear closer inspection and further checks.

2.Acceptable Use

Acceptable Use Policies (AUP) do more than simply define what users should and should not do on the Internet. They also define what is acceptable and unacceptable when using customer and business proprietary data. While it will not stop those with clear intent, it will warn employees that there are consequences if they are caught including disciplinary action and possibly dismissal.

3.Least Privilege

The principal of least privilege states that users should only be granted the minimum amount of access necessary to complete their jobs. This should include both administrative privileges and access to data. By limiting access, the amount of damage an insider can cause is limited.

4.Review of Privileges

Users’ access to systems and data should be reviewed regularly to ensure that such access is appropriate and is also still required. As users change roles and responsibilities, any access they no longer need should be revoked.

5.Separation of Duties

When possible, administrative duties should be divided up so that at least two users are required for key access or administrative functions. When two users must be involved, any malicious or inappropriate access requires collusion, reducing the likelihood of inappropriate actions and increasing the likelihood of detection.

6.Job Rotation

Many insider threats develop over time and may go undetected for months or years. Often boredom is a cause. One way to counter both problems and at the same time improve the skills and value of key employees, is to rotate users through different roles. Job rotation also increases the likelihood that inappropriate activities will be detected as the new role holder must by definition examine what the previous role holder was doing.

7.Mandatory Time Away

All users need a holiday, a break and time away to recharge. This is not only good for users, it’s good for the organisation. Just like job rotation, when a privileged user is on leave, another person must cover their duties and has the opportunity to review what has been done.

8.Auditing and Log Review

Auditing is imperative. All actions and access must be audited, both for successes and failures. You will want to investigate failures as they may indicate attempts to access data, but you will also want to review successes and ensure that they are in support of appropriate actions, rather than inappropriate ones. While log review only detects things “after the fact”, they can detect repetitive or chronic actions early, and hopefully before too much damage is done.

9.Data Loss Protection

Data Loss Protection (DLP) technologies cannot prevent a determined attacker from taking data, but it can prevent many of the accidental data leakages that can occur.

10.Endpoint Protection

Endpoint protection technologies can greatly reduce the risk of data loss and also detect inappropriate activities by privileged users. Endpoint protection can help you secure BYOD devices, and search files for key data like account numbers. The technology also helps to enforce policies that restrict users from transferring data to unapproved USB devices and encrypt those devices that are approved.

Insider threats can be prevented if a detailed and layered strategy is adopted. Every organisation needs HR, legal and IT to work together to cast a protective net that will proactively identify threats or at least minimise the impact of insider threat. No organisation is safe but we can all lower the risk by acknowledging that the problem exists and taking a range of simple precautions.

Join the CSO newsletter!

Error: Please check your email address.

Tags verizonEdward SnowdenIT resellersconfidential datacomptiaIT Securitydata lossGFI SoftwareCSO Australiadata breachesIT professionals

More about CompTIADLPGFIGFI SoftwareSANS InstituteVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Doug Barney

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place