Before you can start to properly protect your sensitive data, you need to first understand how it is at risk. Everyone knows to protect themselves from external threats, but insider threats are becoming a security issue that can no longer be overlooked.
Most common insider threat perpetrators are your employees and third-party contractors. And according to the 2020 Ponemon Global Cost of Insider Threats report, insider threats increased by 47% over the last two years.
So how do you identify insider threats? First, you need to understand what data misuse is and what it looks like.
Data misuse is the inappropriate use of data as defined when the data was initially collected. Basically, it’s when data is not used the way it’s initially intended to be used.
Misuse of information typically is governed by laws and/or corporate cybersecurity policies. But even with laws and policies in place, the potential for data misuse is growing.
Insider threat incidents involving data misuse have serious implications, not least of which is the high monetary cost associated. And without the right people, processes, and technology in place for insider threat visibility, detection and response can be near impossible to manage.
Real-World Examples of Data Misuse
Here’s a look at some recent examples of real-world insider threat-based data misuse. Notice how it’s not unique to any one industry.
1. Building products distributor in Atlanta
Charles Taylor, an IT admin, quit his job at an Atlanta-based building products distributor in July 2018. Shortly after, he committed sabotage in an apparent act of revenge against new management using insider information to remotely log in to the company network. He also used encryption to hide actions from security tools. But he didn’t stop there. Taylor used his remote login to change the passwords for routers used at dozens of the company’s warehouses, which led to complete chaos. He also shut down the company’s central command server. This took two days to rebuild and cost the firm significant damages. He was fined and sentenced to prison.
2. Stradis Healthcare
Christopher Dobbins, the former VP of Finance at Georgia-based Stradis Healthcare, sabotaged shipments of personal protective equipment (PPE). This occurred during the early days of the COVID-19 crisis in the U.S. Before he was terminated in March 2020, he had been disciplined on multiple occasions for abuse of internal applications. Three days after receiving his last paycheck, he used a fake account to log in to sensitive systems, one that he set up while still employed, giving himself access to the company’s computer system. Once inside, he edited 115,000 records and deleted another 2,400. The revenge-motivated hack disrupted PPE shipments for one to three days during the early, crucial days of pandemic response.
In July 2020, a small group of hackers led by a teenager coerced an internal Twitter employee into providing credentials for administrative tools. These tools allow Twitter to manage any account on the service. The hackers took over the Twitter accounts of several famous people, including Barack Obama, Jeff Bezos, and Elon Musk. After gaining access, they tweeted out a scam that involved collecting bitcoin from followers in exchange for a doubling in value. Twitter put a stop to it, but only after hundreds of transactions were completed, adding up to hundreds of thousands of dollars stolen. In addition to chaos and reputation damage, the attack spawned questions about Twitter's power over its users. More than 1,500 full-time employees and contractors have the ability to make changes to user accounts.
4. Trend Micro
A Trend Micro employee sold data belonging to 68,000 customers to a malicious third party that used the data to conduct scam phone calls. During the phone calls, scammers pretended to be Trend Micro support employees. Only after customers started complaining did Trend Micro become alerted to the scam. The Trend Micro employee gained illicit access to a consumer database used for customer support, granting him access to customer names, email addresses, support ticket numbers, and telephone numbers. The employee’s account was disabled, and the employee was fired. Law enforcement has been involved.
Postbank, South Africa’s Post Office Bank, fell victim to a major insider-caused security breach. Multiple employees copied the master encryption key giving them access to Postbank customer accounts and the bank’s internal systems. With this access, they were able to view account balances, reset bank cards, exfiltrate personal information, and steal money. The breach affected 12 million cards and eight to 10 million people relying on Postbank for government assistance funds. It took Postbank a year to discover the full extent of the fraud. The hack amounted to around 25,000 fraudulent transactions and $3.35 million in damages.
As these examples show, insider threat-based data misuse by employees within an organization is widespread and can occur anywhere. Though an organization may have data loss prevention (DLP) tools in place, it is possible for these tools to miss the user and their activity before and after each risky data interaction.
Differentiating between a malicious insider threat and an accidental one requires context on the user’s behavior. The best way to do this is to implement a robust Insider Threat Management (ITM) program. Traditional security tools, like legacy DLP, can’t accurately monitor data movement in the right context, and can get in the way of productivity. But leveraging an ITM program in conjunction with a modern approach to DLP, organizations can correlate activity and data movement to more appropriately identify user risk, detect insider-led data breaches and accelerate security incident response. After all, the longer it takes to identify a data leak or data breach, the more damage can be done.
How are you managing insider threats in your organization? Learn about Insider Threat Management
Subscribe to the Proofpoint Blog