A number of high profile cyberattacks and data security breaches over the past two years has seen the issue emerge as a major concern for CEOs, CIOs, CTOs and boards. According to the IBM 2015 Cyber Security Intelligence Index report, 55% of cybercrime incidents involve insiders— employees, contractors or third party vendors.
However, many organisations do not have in place, basic data security protocols to mitigate the “insider threat” and many organisations are not investing in IT security.
Businesses now collect and store massive amounts of data, comprised of confidential or sensitive information and personal information, often in relation to their customers, clients and employees. The more data that an organisation holds, the greater the risk of harm to the organisation if there is a data breach.
A serious breach can lead to significant brand damage, loss of reputation for the organisation and its executives, damage to customer confidence and a reduction in the organisation’s share price or value. A breach involving customer data may lead to litigation being commenced against the organisation or its executives by customers, third-party vendors or shareholders, particularly when there is a breach of banking facilities.
What is a data security breach?
A data security breach is any unauthorised access, use or disclosure of confidential information or personal information, held by an organisation. Physical security is as important as cybersecurity, with many breaches occurring when employees or contractors simply print documents and walk them out the door – simple theft of documents.
Amongst the data most often sought by those with nefarious intentions, is customer credit card details and related personal information and confidential information of the organisation, such as trade secrets, trading results, strategic business plans or terms of key agreements.
In some cases, breaches have gone unnoticed by organisations for months or years – while critical data is siphoned or compromised. Many organisations are also reluctant to report breaches once discovered, leading to concerns that breaches involving customer’s personal information, could expose those customers to the risk of identity theft or fraud.
In Australia, the federal government has responded to public concern over the security of personal information and has outlined its proposal to introduce mandatory data breach notification laws in the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015. The Bill, if passed into law, would impose a requirement that Australian organisations notify individuals when there has been a serious breach of their personal information. Similar laws already exist in the United States, Canada and several European countries.
The ‘rule bender’
A breach facilitated by an insider can be unintentional or inadvertent. The ‘rule bender’ fails to comply with the organisation’s data security protocols and directions regarding, for example – changing passwords, connecting to public Wi-Fi when accessing the organisation’s computer, IT and email systems, or by using personal electronic storage devices.
Once the password or log-in information of a lax employee or contractor is compromised, a hacker (or an unauthorised person) can work within the existing administrative controls associated with that employee or contractor and move laterally to obtain access to critical data that was not accessible to that employee or contractor, under their designated administrative controls.
A single point of weakness can allow hackers (or unauthorised persons) to work through administrative controls and gain access to critical data.
Most organisations are now familiar with the plague of “ransomware” which began to increase from about 2013 onwards. In most cases, an employee or contractor has clicked on a link in an email from an unknown source and inadvertently download malware into the organisation’s computer and IT systems – encrypting the organisation’s data, unless a ransom is paid to obtain the encryption key.
Intel Security’s 2016 Threat Predictions Report states that the ransomware plague is likely to continue and grow, in terms of both the frequency and sophistication of the attacks.
Notable victims of ransomware include the Australian Broadcasting Corporation and recently, a series of health care facilities in the US – raising concerns that such facilities will be targeted again in the future, because the victim is likely to pay a significant sum, to avoid compromising patient care (1).
The wolf in sheep’s clothing
Other insiders are motivated to commit fraud or industrial espionage for financial gain.
Personal information stolen by, or with the assistance of an insider, such as patient medical records, credit card numbers and government identifiers, can then be sold on the black market and used to commit identity theft and facilitate fraud against banks, insurers and government departments.
According to the website, eSecurity Planet, an employee of Flowers Hospital in Alabama in the United States, stole patient information from June 2013 to February 2014 and then used the information to file fraudulent income tax returns (2). The matter is now the subject of a class-action lawsuit filed against the hospital by former patients. The lawsuit alleges the hospital was negligent, by having failed to properly safeguard patient information.
But the most dangerous category is the “disgruntled insider” – determined to sabotage the organisation due to a negative experience, such as being dismissed or being over-looked for a promotion.
In October 2015, Fairfax Media reported that a disgruntled former employee of the Tribune Company was convicted of criminal offences in a United States Federal Court in California, after he entered an Internet chat room associated with Anonymous, an online hacking group, and provided others in the chat room with a username and password (3). This allowed those users to make unauthorised changes to the Tribune Company’s Los Angeles Times news website. According to court documents, the same employee had previously sent disparaging emails about the Tribune Company to consumers and changed the access credentials of other employees, interfering with their ability to access company servers.
Identifying and minimising the threat
A data breach can be perpetrated by any person at any level in any organisation. The insiders, who are the most trusted within an organisation, are the same persons who have the potential to cause the greatest harm.
Despite the best efforts of an organisation, a certain percentage of employees or contractors will ignore security protocols, training and instructions. Those motivated by financial gain, personal revenge, political or ideological purposes— can be difficult to identify.
Consider these options for identifying and minimising the insider threat:
- Firstly, identify employees and contractors within the organisation (and third-party vendors) who have access to critical systems and data and review all related contracts.
- Separate and protect critical data with identity and other administrative controls, including, if appropriate, separating critical data from accessible infrastructure.
- Ensure that data is backed-up as often as possible so that operations can be restored quickly in the event that data is encrypted, lost or compromised.
- Review and re-consider your organisation’s investment in IT (including hardware) and cybersecurity.
- Check your general and cyber insurance policies for any exclusions relating the conduct of employees or contractors.
The rule bender?
- Apply encryption to emails, documents and electronic storage devices, to protect against inadvertent disclosures and lost USBs or laptops.
- If employees and contractors are permitted to work remotely from the office, consider providing them with additional security resources, software, instructions and training.
- Consider a “clean desk” policy to ensure that confidential or sensitive documents can not be read or copied by visitors, unauthorised persons, or the cleaners after hours.
- In addition to regularly updating IT use policies, ensure workers are provided with continuous security awareness training and are trained to think critically about data security and cybersecurity.
- Consider the introduction of bio-recognition technologies, which can assist to detect unauthorised access, hacking and other nefarious activities.
- Ensure the organisation’s policies prohibits the use of personal email and cloud storage services and electronic storage devices, to store, send, transmit or receive work information, documents and emails. Monitor and audit your systems for compliance.
- If employees and contractors are permitted to use personal mobile devices for work purposes, ensure that the organisation has a “bring your own device” policy that allows the organisation to remotely access and wipe any work-related information from the personal device. Consider obtaining a written authority, authorising the organisation to remotely access the device and/or a corresponding clause in your employment and contractor agreements.
The wolf in sheep’s clothing?
- Consider pre-employment/engagement background checks for all IT workers and others with access to critical systems and data. Request the same from third-party vendors.
- Implement auditing programs to analyse log data and identify unauthorised (or unnecessary) access to critical systems and data.
- Keep your ear to the ground. There are often rumblings, before an employee or contractor turns rogue. Consider implementing an insider threat counterintelligence program – so that potential threats can be reported and monitored where necessary.
Every organisation should ensure that the CIO, CTO and human resources team, are trained to identify potential insider threats and prepared to respond to a breach, particularly where an employee or contractor is a suspect. They will need to react quickly to triage and quarantine the threat and to effectively gather information from across the organisation, for use by external service providers, insurers, lawyers and law enforcement.
Finally, ensure that data security and cybersecurity are regular agenda items at board meetings. A breach has the potential to cause significant brand damage and adversely affect the organisation’s stakeholders. These are matters that fall directly into both the statutory and civil responsibilities of the organisation’s directors. A board of directors that does not know whether the organisation’s data security systems, processes and protocols are adequate to protect the interests of the organisation and its stakeholders – leaves itself wide open to accusations of breach of duty. It follows that a board should ensure that the organisations’ processes involve it asking contractors and third-party vendors to provide details of their own security systems, processes and protocols.