The mysterious foreign villains striking the largest companies and political organizations from the dark corners of the Internet tend to get the splashy headlines. However, the network openings that allow outside cyber attackers to burrow in, infect databases and potentially take down an organization's file servers overwhelmingly originate with trusted insiders.
In some cases, those insiders are driven by malicious intent -- either to enrich themselves by selling sensitive data or to retaliate for perceived mistreatment. There are also cases where a company's third-party contractors, vendors or temporary workers with access credentials have been responsible for their client's network breaches through ill intent, negligence or accidental disclosure.
According to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those insider-originated network openings are created without any intention of harming their employer. In a number of cases vulnerabilities resulted from trusted employees in the course of their normal work routine: taking files home to work on in their own spare time, or unsuspectingly opening a phishing email or clicking on a malicious link.
A recent report highlighted that 42% of healthcare data breaches analyzed were "accidental disclosures". A brief review of reported incidents on the US Department of Health and Human Services Office for Civil Rights site shows several sizable breaches (and many more involving fewer than 10,000 records) due to laptop theft, loss, improper disposal and unauthorized email access or disclosure over the last two years.
Recent ISF research developed a classification of insider breaches that identifies three basic types of risky insider behavior. Each type requires a different approach.
- : Malicious insider behavior combines a motive to harm with a decision to act inappropriately. An example is the disgruntled or conniving employee who turns over sensitive proprietary information to a competitor after being terminated.
Negligent: Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.
Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones. According to Verizon's 2017 Data Breach Incident Report, errors accounted for 14% of breaches. Social attacks accounted for 43% of breaches, and one in 14 users were duped into opening an attachment or following a link, many of them more than once.
A loyal employee's weekend work on a confidential company document downloaded through their local coffee shop WiFi can expose the user and their employer to anyone within range who wants to piggyback on the employee's signature and gain access to sensitive files. The same applies to moving data over consumer-grade FTP services, responding to authentic-looking phishing messages, careless password management, misplacing devices containing privileged information, visiting an infected website, or opening a Trojan horse virus attached to a seemingly normal email.
A typical accidental breach might involve misspelling an email address (often compounded by the autocomplete feature), which results in the message and its attachments going to the wrong person.
All of that has happened -- and it continues happening with such great frequency that it has largely resulted in public fatigue over data leaks. That blasé attitude is not shared by information security professionals; indifference compounds an already thorny problem -- one that grows more challenging each year. Frequent, well-intended admonitions to employees urging them to take security seriously by creating strong passwords, to study policy documents and to otherwise do the right things, are too often given lip service or overly broad interpretations.
Boilerplate email disclaimers warning recipients to immediately delete the message if he or she is not the intended recipient are routinely ignored. Lists of hard-to-remember and frequently changed passwords are typically written down and kept within easy reach of the person's computer. The distinctions between work and personal information kept on an employee's mobile devices are increasingly hazy, as are related employer policies. Bring-your-own-device (BYOD) policies create a persistent challenge. Social media use has extended from individuals communicating with one another to organizations interacting with customers, investors and other constituents on a real-time basis.
Hard data on the incidence of non-malicious disclosures by insiders is difficult to come by, largely because much of it never gets reported. We suspect the main reason is that in many cases the employee's inadvertent disclosure -- although often a clear breach of written policy -- never resulted in any harm. Most people who unexpectedly receive an email with a long file attachment containing other people's financial, health, or legal information would probably be puzzled and recognize that it was sent in error. So, the data, however sensitive, would never amount to anything more than a curiosity.
But those are not the examples companies typically worry about. The cases where unintended breaches really matter are those where a security gap -- created either by trickery or mistake -- is recognized and exploited by someone bent on monetizing (through sales or ransom) the proprietary information they have been able to capture. Wholesale opportunities to sell and leverage stolen credit and identity data are available worldwide through a multi-billion-dollar industry of darknet sites run by increasingly sophisticated criminal organizations.
The human element
Combating the wholesale theft of data by limiting inadvertent actions that could lead to its misappropriation should be a priority for every organization. Investment in technologies that can help to prevent intrusions and protect data from attackers -- and there are many such options available -- is essential.
However, the most fundamental element of threat is deeply human. It starts with the proper vetting of employees to look for signs that the individual has not, in the past, been a responsible steward of information entrusted to them. Applicants whose pasts have included questions over managing information should not be brought onboard.
Even so, the temptation to categorize job applicants as either good or bad is naive. While people who have shown themselves to be untrustworthy in the past are certainly a gamble, but even good people have the capacity to willfully misuse their data privileges. Particularly when someone feels as though they have been mistreated, disrespected, or abused, an otherwise trustworthy person could develop the motivation and ability to retaliate. Therefore, an important part of the solution is to avoid putting employees into situations that are likely to undermine their trust and engender resentment.
The trust factor
In fact, cultivating a culture of trust is likely to be the single most valuable management step in safeguarding an organization's information assets. After new employees have been satisfactorily screened, continue the trust-building process, starting with onboarding procedures, by equipping them with the knowledge and skills required of trusted insiders.
Expectations of trustworthy behavior -- and the consequences of non-compliance -- should be made explicit from the outset. Over time, trust should remain an important factor in periodic performance reviews. Mechanisms for anonymously reporting suspicious workplace behavior should be made available to all levels of staff.
Above all, senior management must lead by example. Building a culture of trust around shared values, ethical behavior and truth begins at the top. Security awareness and the importance of "cyber hygiene" has to be regularly addressed in communications, training sessions and policies. Trust and ethics are increasingly important, not only to information security, but also to customer relationships, brand building, and competitiveness.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.