Small businesses account for nearly half of all cyber security breaches.
Data breaches are not just a problem for large enterprises – 43 per cent of all breaches involve small to medium-sized businesses, as reported recently by Verizon. This same report reveals that more than one in three breaches is caused by someone on the inside.
This should be a wakeup call for any company. After all, anyone with legitimate access to an organisation’s systems and data – whether full-time employee, part-time contractor or strategic business partner – can be an Insider Threat.
Yet, there is much businesses can do proactively to build Insider Threat capabilities into their data and cyber security programmes, regardless of organisation size or sector. One of the first steps is to understand the four main types of insiders that pose a risk to your organisation.
The Careless Insider
Although malicious insiders like Edward Snowden are the most well-known type of Insider Threat, according to Ponemon research, it’s the unintentional insider who is responsible for the vast majority (64 per cent) of incidents.
The Careless Insider doesn’t have malicious intent or bad will towards their employers, but due to negligence or by mistake, exposes sensitive data or systems.
Take for example how, just this June, Independent Age, a charity for older people, suffered an accidental data breach when an insider sent the personal information of almost all of its staff (contact details, salaries, bank details and pension contributions) in response to a written request for information by a former employee.
Although this type of insider doesn’t deliberately compromise data security, the results of the breach are every bit as damaging.
The Self-Serving Insider
In contrast to the Careless Insider, the Self-Serving insider purposely exploits their access to data and systems in order to further their own personal agenda. Motives can range from simple financial and professional gain – such as misappropriating customer lists and trade secrets – to getting revenge against an organisation for perceived wrongs.
McAfee recently filed a lawsuit against three insiders who are accused of stealing confidential sales and business strategy information using private email addresses, Google Drive and unauthorised USB drives.
In another instance, Andrew Skelton, a disgruntled Morrison’s employee, deliberately exposed the private data of 100,000 personnel. Skelton had a grievance against his employer after being disciplined for using Morrison’s post room for his own personal business. Skelton leaked staff salaries, bank details and national insurance numbers to several newspapers and posted the information online.
Overall, businesses face fewer Self-Serving Insider incidents than unintentional ones, but the average cost for this type of insider incident is twice as much as the unintentional incident.
The Maverick Insider
The Maverick Insider – cousin to the Careless Insider – doesn’t intend to breach data security, but disregards prudent cybersecurity policies in favour of convenience.
For example, despite express policies prohibiting the use of public WiFi to access sensitive company information and transferring it by email or using unsanctioned cloud file-sharing programmes like Box or DropBox, the Maverick Insider takes shortcuts in violation of company policy that can result in a data breach.
These Maverick Insiders may view their workarounds as harmless and do so in the name of productivity, but as evidenced by the US Department of Justice’s recent charging of seven Russian hackers, caught infiltrating hotel Wifi networks in Europe, the dangers posed by out-of-policy activities are very real.
The Ideological Insider
The Ideological insider is motivated to compromise data for moral or political reasons. Edward Snowden – who asserts that his actions were based on his moral opposition to American and British security services practices – is perhaps the most infamous Ideological Insider.
But it isn’t just governments who fall prey to the ideological insider. A great number of sectors – including technology, pharmaceutical, financial and manufacturing – are targets for the Ideological Insider.
Yu Xue, a Chinese-American scientist, pleaded guilty to stealing secrets from British drug maker GlaxoSmithKline (GSK) last August, and her brother, currently residing in Switzerland, is the subject of a US extradition order for using the information stolen by his sister to perform tests at a research facility in Switzerland, before sending the results to China.
Building an Insider Threat Programme
People – their motivations and behaviour, in particular – are at the heart of the Insider Threat. As such, it’s crucial that your organisation approaches the Insider Threat as a coordinated effort, with everyone from IT, physical security, and finance, to managers, legal and HR, sharing insights into insiders and their behaviour.
Given the total average cost of an insider threat is $8.76 million, a figure very few businesses can easily withstand, it is key to get senior leadership on board from the outset when building an Insider Threat programme.
The next step is to establish cybersecurity policies that actively protect against Insider Threat incidents, but still enable staff to do their jobs efficiently and effectively.
Having an open dialogue with your trusted insiders about why such policies are necessary, and addressing their needs, leads to collaborative cybersecurity – where employees are on side and motivated to protect the security of people and data.
Employees must also be trained effectively on those policies and training should be ongoing. Cybersecurity is not a “once and done” proposition.
Technology solutions play a fundamental part of data security efforts too. Indeed, both Forrester and Gartner recommend user activity monitoring for full visibility and full context into all user behaviour on company systems in order to combat the Insider Threat.
While activity monitoring allows companies to reinforce security protocols, by triggering instant reminders when out of policy activity occurs and blocking risky behaviour outright, it’s useful to note that monitoring technology can be anonymised so as to respect employee privacy too. This is a win-win.
Ultimately, by taking a proactive approach to understanding the many ways an insider incident can happen and how to mitigate it, businesses can protect their data and their personnel – ensuring that the Insider Threat, whatever the type, is a challenge that they can surmount!
First published in Minutehack.com, reproduced with permission
Subscribe to the Proofpoint Blog