Inattentive employees pose major insider threat

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Fah­mi­da Y. Rashid, ThirdCertainty

When it comes to insid­er IT secu­ri­ty threats, the biggest expo­sure com­pa­nies face isn’t from venge­ful or dis­grun­tled employ­ees. It’s from the inat­ten­tive ones.

Some 80 per­cent of net­work data breach­es are acci­den­tal, accord­ing to a recent cus­tomer sur­vey con­duct­ed by end­point secu­ri­ty ven­dor CoSoSys.

Info­graph­ic: Assess­ing insid­er threats

CoSoSys found that over half of employ­ees have acci­den­tal­ly sent emails to the wrong per­son and 59 per­cent think los­ing a mobile device or lap­top with com­pa­ny data isn’t “too big” a threat. That’s a lot of lost devices poten­tial­ly not report­ed to IT.

Breach­es caused by neg­li­gence, human error and lack of prop­er train­ing are more com­mon than breach­es caused by mali­cious insid­ers,” says Roman Foeckl, CEO of end­point secu­ri­ty com­pa­ny CoSoSys.

Diverse dam­age

A data breach has seri­ous finan­cial impli­ca­tions, both direct­ly and indi­rect­ly. A recent Ponemon Insti­tute sur­vey pegged the cost of a data breach, on aver­age, at a whop­ping $3.5 mil­lion.

The direct costs are easy to cal­cu­late: the cost of spe­cial inves­ti­ga­tors hired to track down the inci­dent, the time and resources spent to reme­di­ate the issue, and lost rev­enue and pro­duc­tiv­i­ty result­ing from com­pa­ny down­time. The indi­rect costs are less obvi­ous, such as brand dam­age and loss of con­sumer trust.

In addi­tion to any fines a com­pa­ny has to pay in asso­ci­a­tion with a breach, there is a huge amount of lost rev­enue that will not be com­ing in,” says Foeckl.

3C’s  newslet­ter: Free sub­scrip­tion to fresh analy­sis of emerg­ing exposures

A look at the biggest secu­ri­ty head­lines from the past year—Target, Home Depot, P.F. Chang’s, Sony—might sug­gest the biggest threats for orga­ni­za­tions come from out­side adver­saries. But for every Tar­get, there is a Mor­gan Stan­ley, where an employ­ee was behind the data breach. In fact, insid­ers pose a more imme­di­ate threat to most organizations.

An orga­ni­za­tion can be breached because pass­words to sen­si­tive sys­tems were shared freely or because con­fi­den­tial files were not ade­quate­ly pro­tect­ed. Mali­cious out­siders can also take advan­tage of weak pass­words and mis-con­fig­ured sys­tems to imper­son­ate an autho­rized user on the net­work. Tar­get can be con­sid­ered an insid­er attack since the attack­ers pre­tend­ed to be from the retailer’s HVAC provider.

Range of risks

Employ­ees need to under­stand the full range of ways sen­si­tive com­pa­ny infor­ma­tion can end up in the wrong hands, regard­less of the exit point, such as USB stor­age devices, file shar­ing appli­ca­tions, cloud stor­age, social media, emails, mes­sen­gers, oth­er online appli­ca­tions and even printers.

Breach­es by mali­cious insid­ers tend to receive the most atten­tion because they have the poten­tial to cause more dam­age. Con­sid­er the kind of sen­si­tive infor­ma­tion key employ­ees have access to and it’s clear the reper­cus­sions to the busi­ness are “expo­nen­tial­ly high­er than a human error inci­dent,” Foeckl says.

Employ­ees aren’t being mali­cious or negligent—many of them don’t real­ize that secu­ri­ty is part of their job descrip­tion. When 35 per­cent of employ­ees say data secu­ri­ty is not their respon­si­bil­i­ty, orga­ni­za­tions need to pay atten­tion. The IT depart­ment has to put the prop­er tools in place to pre­vent and detect data breach­es, but employ­ees also have to be edu­cat­ed reg­u­lar­ly on the steps they need to take to avoid a poten­tial breach, Foeckl says.

Focus­ing all efforts on keep­ing the bad guys out means orga­ni­za­tions are caught off guard when the threat is already inside. Spend a por­tion of the bud­get to deal with insid­er threats by imple­ment­ing sys­tems to grant access only to the extent employ­ees need to per­form their jobs. It’s a chal­lenge to imple­ment secu­ri­ty with­out severe­ly impact­ing day-to-day activ­i­ties, but it will be far cheap­er than the final cost of the data breach.

More on emerg­ing best practices

5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era

Posted in Cybersecurity, Data Security, News & Analysis