When an organization is hacked, fingers immediately point to the actors who planted the malware and have something to gain from the data breach: cyber-criminals. Those people looking to sell the sensitive information they collect or to drain bank accounts, or nation-states hoping to wreak havoc on an enemy. What doesn’t get talked about is how that malware got into the system in the first place. Almost always, data breaches and other security events occur because of the actions of someone on the inside. For this reason, most security experts believe the greatest threat to an organization’s network and data is its employees.
According to Steve Durbin, managing director with the Information Security Forum, most of these threats are just mistakes that happen innocently enough. Someone clicks on a link in a phishing email or in social media, or visits a website that has been infected. Sometimes data were compromised even more innocuously. As Durbin wrote in a Recode article, “In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task, like taking files home to work on in their own spare time.”
Employees: The Security Wildcard
Having a strong security system in place and using tools like the Threat Sketch Risk Assessment are vital in order to protect both your network and your data. However, no matter how well protected the infrastructure is, it is extremely difficult to factor in human behavior. A penetration test may sniff out vulnerabilities in the software, but it will do nothing if an employee’s corporate laptop is stolen and an outsider is able to access any files on the computer.
The Bring Your Own Device (BYOD) movement and shadow IT have only increased the insider risk problem. Because IT departments aren’t able to monitor these devices and applications as strictly as those owned or approved by the company,
BYOD and shadow IT likely do not have the same security systems. Also, security is often ignored by employees using their personal devices because it slows down productivity. This leaves the devices open for a variety of different types of security lapses, such as the use of public WiFi, unlocked devices, and downloading malicious apps.
Employees at all levels are a risk to the company’s infrastructure. The University of Alabama at Birmingham found that while 43 percent of C-suite executives believe that insider behaviors are the greatest threat to a company’s security, they are more likely than their lower-level staff to create a security threat. More than half of C-suite executives take corporate data with them when they leave the company, and nearly two-thirds of executives send sensitive corporate information to the wrong person, compared to a quarter of the staff at large.
The Malicious Insider
While the majority of cybersecurity threats to a company are caused by mistakes or negligence, there are individuals who fully intend to cause the company harm by violating security protocols. Edward Snowden may be the most well-known malicious insider. Snowden used unauthorized access to steal government documents, revealing secrets of how government agencies operated. Another former NSA contractor, Harold Martin, was recently arrested for similar activity. A UK-based study found that one in every 50 employees is believed to be a malicious insider, who goes on to harm the company through theft of confidential information, damage to equipment and the network, and lost productivity.
Plugging the Insider Leak
There are several steps organizations can take to make sure insiders are less of a threat. These include:
- Regular and hands-on security awareness training. There are educational tools available, many for free, that allow employees to see what happens when they click on a bad link and to actively learn how to spot the difference between a real email and a phishing email. Keep up regular communications about security threats with employees through newsletters and social media postings.
- Update and enforce security protocols. Employees should know what the security risks are and the consequences for violating policies.
- Deploy BYOD security policies. Employees should have to prove their devices are equipped with required security tools before they can access data.
- Set good examples. IT and C-level executives should be using all of the security best practices they require of the rest of the staff.
- Understand where the company’s security posture is with tools provided by Threat Sketch, and provide a baseline for employee behaviors.
“Cultivating a culture of trust is likely to be the single most valuable management step in safeguarding an organization’s information assets,” Durbin writes. “Expectations of trustworthy behavior — and the consequences of noncompliance — should be made explicit from the outset.” When employees know the expectations, the policies, and consequences of breaking those rules, there is a better chance of preventing insiders from becoming your worst security nightmare.
About the Author: Sue Poremba. Sue is a Central PA-based writer who has covered cybersecurity since 2008.