Most high-profile attacks on corporate data centers and institutional networks have originated outside of the victimised organisations – in many cases from halfway around the world.
However, the network openings that allow outside cyber-attackers to burrow in, infect databases and potentially take down an organisation's file servers, overwhelmingly originate with trusted insiders. In some cases, those insiders are driven by malicious intent – the desire to enrich themselves through the sale of sensitive data or to retaliate for a perceived slight or mistreatment. There are also cases where a company’s third-party contractors, vendors, or temporary workers – essentially privileged users – have been responsible for their client’s network breaches, either through malice or by accident.
According to a worldwide survey of Information Security Forum (ISF) members, the majority of those network openings were created harmlessly through accidental or inadvertent behaviour by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly ordinary task like taking files home to work on in their spare time.
When we look at insider threats, there are three types of risky insider behaviour. Each requiring a different approach.
Malicious: Malicious insider behaviour combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated.
Negligent: Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.
Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones.
An employee’s evening work on a confidential company document downloaded through their local coffee shops Wi-Fi can expose the user, as well as their employer, to anyone within range who wants to piggyback on the employee’s signature and gain access to sensitive files. The same applies to moving data over consumer-grade FTP services, responding to authentic-looking phishing messages, careless password management, misplacing devices containing privileged information, visiting an infected website, or opening a Trojan horse – a virus-infected attachment to a seemingly normal-looking email. A typical accidental breach might involve misspelling an email address which, combined with a PC’s autocomplete feature, ends up sending a message and its attachments to the wrong person.
All of that has happened – and it continues happening with such great frequency that it has largely resulted in public fatigue over data leaks. That tedium, however, is not shared by information security professionals, for whom popular indifference only compounds an already thorny problem – one that grows more challenging each year. Frequent, well-intended admonitions to employees urging them to take security seriously by creating strong passwords, to study policy documents and to otherwise do the right things, are too often given lip service or overly broad interpretations.
Boilerplate email disclaimers warning recipients to immediately delete the message if he or she is not the intended recipient, are routinely ignored. Lists of hard-to-remember and frequently changed passwords are typically written down and kept within easy reach of the person’s computer. The distinctions between work and personal information kept on an employee’s mobile devices, as well as employer policies, are increasingly hazy. Bring Your Own Device (BYOD) policies create a persistent challenge. Social media use has extended from individuals communicating with one another to organisations interacting with customers, investors and other constituents on a real-time basis. Yet even information about employees gleaned from personal social media sites can give a patient hacker the ammunition needed to plan an attack.
Hard data on the incidence of non-malicious disclosures by insiders is difficult to come by, largely because much of it never gets reported. We suspect the main reason is that in many cases the employee’s inadvertent disclosure – although often a clear breach of written policy – never resulted in any harm. Most people who unexpectedly receive an email with a long file attachment containing other people’s financial, health, or legal information would probably be puzzled and recognise that it was sent in error. Therefore, the data, however sensitive, would never amount to anything more than a curiosity.
However, those are not the examples companies typically worry about. The cases where unintended breaches really matter are those where a security gap – created either by trickery or mistake – is recognised and exploited by someone bent on monetising the proprietary information they have been able to capture, either through sales or by ransom. Wholesale opportunities to sell stolen data are available worldwide through a dark network of shady Internet sites. The surreptitious online transfer of files, including credit card numbers and corroborating information, is a robust business valued at $120 billion dollars a year, according to CreditCards.com.
The Human Component
Combating the wholesale theft of data by limiting the types of inadvertent actions which could lead to its misappropriation should be a priority for every organisation. Investment in technologies that can help to prevent intrusions and protect data from attackers – and there are many such options available – is essential. Management controls including segregation of duties, periodic reassessment of privileges, and audits, are also important.
But the most fundamental element of threat is deeply human. It starts with the proper vetting of employees to look for signs that the individual has not, in the past, been a responsible steward of information entrusted to them. Applicants whose pasts have included questions over managing information should not be brought onboard.
Even so, the temptation to categorise job applicants as either good or bad is naive. While people who have shown themselves to be untrustworthy in the past would almost certainly make poor choices, even good people have the capacity to wilfully misuse their data privileges. Particularly when someone feels as though they have been mistreated, disrespected, or abused, an otherwise trustworthy person could develop the motivation as well as the ability to retaliate. Therefore, an important part of the solution is to avoid putting employees into situations which are likely to undermine their trust and engender resentment.
It's All About Trust
Cultivating a culture of trust is likely to be the single most valuable management step in safeguarding an organisation’s information assets. After new employees have been satisfactorily screened, continue the trust-building process through onboarding by equipping them with the knowledge and skills required of trusted insiders. Expectations of trustworthy behaviour – and the consequences of non-compliance – should be made explicit from the outset. Over time, trust should remain an important factor in periodic performance reviews, including the provision of mechanisms for anonymously reporting suspicious workplace behaviour.
Above all, a culture of trust built on shared values, ethical behavior and truth begins at the top of any organisation. The conduct of senior management sets a tone which reverberates from the C-suite to the shop floor. Having a culture of trust affects more than just information security; it is also fundamental to the organisation’s prospects for future success.
About the Author