Cybersecurity professionals recognize threats are always evolving, but one consistent vulnerability remains the same: employees. People internal to an organization are a frequent cause of data breaches, both through negligence and with ill intentions. In this post we’ll share some real-life examples that can help you educate your employees to be more aware of the dangers and prevent an employee-caused breach from happening to you.
Understanding the Risk
Employees and contractors are the number one cause of data breaches, and the majority (56%) of security professionals say insider threats are on the rise, according to a Haystax survey. Privileged users with access to sensitive information are thought to pose the biggest threat (60%) with consultants and contractors a close second (57%) followed by regular employees (51%).
Why is the threat on the rise? Haystax’s crowd-based research identified several reasons:
- Insufficient data protection strategies and solutions
- Increasing number of devices with access to sensitive data
- Proliferation of sensitive data moving outside the firewall on mobile devices
- More employees, contractors, partners accessing the network
- Greater complexity of technology
- Increasing use of cloud apps and infrastructure
Negligent employees or contractors were the No. 1 cause of data breaches with the average cost of damage or theft of IT assets and infrastructure now exceeding $1 million. — Keeper Security and Ponemon Institute
Examples of Internal Breaches
Perhaps it’s just employee error. Snapchat in 2016 said it was “just impossibly sorry” for a data breach exposing payroll information of some 700 current and former employees. The cause? An attacker pretending to be the social media company’s CEO Evan Spiegel tricked an employee into emailing over the information. Whoops.
The City of Calgary in Canada is being sued for $92.9 million for a 2017 privacy breach impacting more than 3,700 of its employees. The city is accused of “acting with the most obvious neglect” because a city staffer sent an email to an employee in another Alberta municipality sharing Workers’ Compensation Board claim details, medical records, Social Insurance Numbers, addresses, dates of birth, Alberta Health Care numbers and income details.
Or, it could be that employees don’t know any better. The Federal Deposit Insurance Corp. (FDIC) in March 2016 acknowledged that an employee “inadvertently and without malicious intent” downloaded sensitive data onto a personal storage device. The innocent employee departed the agency with a storage device containing data and information relating to 44,000 customers. The bright side (if there can be one) is that the breach had little impact beyond reputation damage as three days later the download was discovered and the former employee returned the storage device, signing an affidavit the information wasn’t used.
Then there’s also the negligent employee ignoring the call to update security. The Equifax breach, which exposed the sensitive data of nearly 146 million Americans, was caused by a single employee’s mistake, according to testimony to Congress. CEO Richard M. Smith repeatedly referred to an “individual” in Equifax’s technology department who failed to “heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach,” according to New York Times coverage. It’s hard to believe that one careless—not even malicious!—person could cause so much damage, but the Equifax case proves it can and does happen.
Disgruntled employees can do damage as well. Perhaps feeling as if they’re being unjustly let go or overlooked for an opportunity, driven by greed, or looking to gain a competitive advantage with a new employer, ill-meaning employees can delete data or steal software or intellectual property. Plus, they have a much greater ability to cover their tracks as they often know their way around the network.
Consider these examples:
- The former network administrator for the city of San Francisco held the city’s systems hostage by refusing to give up the passwords. Why? He felt his supervisors were incompetent.
- A network engineer for oil and gas company EnerVest found out he was going to be fired and sabotaged the company’s systems by returning them to original factory settings.
- A hospital worker stole forms containing patient information and is thought to have filed fraudulent income tax returns.
These are just a few of the hundreds upon hundreds of examples that show how real the threat for insider breach is.
Detecting and preventing internal attacks is more difficult than doing so for external attacks per 66% of Haystax’s respondents.
What Can Your Organization Do?
There are many opportunities for employee error, negligence, or ill intent. The organization’s many endpoints, cloud infrastructure or applications, mobile devices, network and databases are among the assets the insider might use to launch an attack. So, what’s an organization to do?
Amp up training. While many organizations have a training program in place, the depth and breadth of the content is not sufficient to drive behavioral change. Employees need to be provided training about the many ways in which they could unwittingly be putting the organization at risk.
Only 45% of companies have mandatory cybersecurity employee training. — Experian
Make cybersecurity a priority. It’s essential that organizations focus on securing networks, systems, applications and devices as well as physical premises, developing security protocols, and establishing incident response processes.
Keep up to date. Not only should an organization keep apprised of industry trends and compliance requirements but also stay abreast of what’s happening in cybersecurity globally.
Partner with an expert. RedTeam can identify vulnerabilities in your networks, applications and infrastructure and put you on a path to correct them. Schedule your free consultation and chat with one of our experts today, or download our RedTeam Testing Guide to learn more about our many offensive security offerings.