Security threats can come from anywhere, but they most often occur from the inside. These types of threats are on the rise: in a recent report, 39% of IT professionals admitted they were more concerned about the threat from their own employees than the threat from outside hackers.
In May 2014, the U.S. Department of Homeland Security defined Insider Threat as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information nor information systems.”
The potential risks associated with an Insider Threat are particularly disturbing, since Insiders already have the necessary credentials and access to do significant damage to your organization. Traditional data security tools such as encryption are meaningless since Insiders are already authorized to bypass these security barriers in the same way they can use their network credentials to access your sensitive data.
As a recent example, customer records at AT&T Services were accessed by employees who stole information to sell to unauthorized third parties. As a result, in late 2015, AT&T Services had to pay a civil penalty of $25 million to resolve consumer privacy violations.
While we should not ignore the very real danger posed by this type of intentional threat, we must also recognize the role of negligent employees in delivering a similar result. The fact is that the road to a cyberattack is often paved with the best of intentions.
In February 2016, Snapchat announced that one of its employees had responded to a phishing scam, by sharing payroll information with the company’s Chief Executive Officer, or so they thought. Instead, they opened an email sent by an external actor who exploited the employee’s negligence to obtain sensitive information. While it was an honest mistake, the employee’s actions resulted in devastating consequences for the organization as well as the individuals whose data was breached. According to the FBI, this form of business email compromise has cost more than $1.2 billion over the past two years.
Cyberattacks originating from negligent employees are rapidly increasing. Employees have access to sensitive information that, if exposed, could negatively impact their organization. Yet most corporate research and investment on the Insider Threat has focused on those defined by Homeland Security: malicious behavior of purposeful hackers. We need to understand that the Insider Threat is considerably broader.
Contrary to popular belief, Insider Threats should not be restricted to these malicious profiles. In fact, many would argue that the threat from well-intentioned, negligent employees like the Snapchat case presents a much greater risk. In fact, IT decision makers view the employee as the greatest risk to the security of their organization (46%). Of these respondents, the ‘accidental’ threat outweighed the ‘intentional’ threat by double.
While no one can prevent all Insider Threats, adopting a transparent security policy is a key step in securing employee support while building greater trust between employees and employers. IT should work closely with senior leadership to integrate responsible IT security behavior training, including random user testing, and pre-emptive alerts established to call out unusual activity or access.
Organizations must also implement technology that delivers proactive and intelligence-driven approaches to security to help reduce risk and enable IT to effectively support business initiatives.
The successful prevention of any threat depends on our ability to accurately define and identify it – ideally before it has infiltrated our networks and data. When addressing the risk of Insider Threats, we must look beyond those who are intentionally doing harm and place equal emphasis on those who are simply doing their job.
About the author: Eric Aarrestad, Senior Vice President, Product Management, leads Absolute’s focus on defining and driving requirements for Absolute’s product portfolio. Under Eric’s guidance, the product management team defines and communicates the product strategy and roadmap for all segments of the business. Eric is a seasoned information security executive, with a proven track record of market impact through building, scaling and growing global cloud, SaaS, mobile, data analytics and security products and services. Eric has worked in enterprise information security for more than 20 years, having previously held leadership positions at Microsoft, HEAT Software and WatchGuard Technologies.