Guest blog provided by Charlotte Dunlop.
Cyber security threats are on the rise at an alarming rate. According to a Ponemon Institute study, 90% of healthcare organisations have had a data breach in the last two years. Additionally, the research showed that over half of these breaches came from inside the organisations themselves.
Whether it’s employees exfiltrating data on purpose or unintentionally breaching company data security policies, insider threats are real. Harvard Business Review even went so far as to state boldly that ‘The biggest cybersecurity threats are inside your company!’
These insider security violations fall into three types: the negligent employee, the malicious insider, and the third-party contractor. Let’s take a look at how and why these attackers make their way into protected networks and systems.
The Negligent Employee
Negligent and un-knowledgeable employees can inadvertently compromise the security of your company data. In today’s IT landscape, your employees can log onto company networks with their personal devices. This can be an issue if your employees are accessing your network over unsecure public Wi-Fi and it provides opportunity for malicious hackers to observe login credentials and use them for criminal purposes.
Threats can also be less high-tech as shown in the Feinstein Institute for Medical Research case in 2016. A data breach cost the institute $3.9 million after a laptop containing personal data on thousands of people was stolen from an employee’s car.
The Malicious Insider
The malicious insider is the most difficult threat as they are not easily prevented by protocols, training or policies. This type of threat is most commonly a disgruntled employee looking for revenge – malicious insiders are usually emotionally charged rather than incentivised by financial gain. Ex-Employees with a grudge have a lot to benefit from: they can sell stolen data over the black market, make fraudulent transactions or publicly release damaging information about internal practices.
However, it could also be that a criminal agent secures employment in your business to gain access to your network and data. The insider then works with legitimate credentials to breach data, which could be anything from collecting sensitive personal information of customers to planting malicious software into the system.
The Third-Party Contractor
Third party contractors are a similar threat to negligent or un-knowledgeable employees. They are a risk that could provide another opportunity for malicious hackers to compromise your security. It could be as innocent as the maintenance company contracted, or the company you outsource to, but these third-party contractors have at least some degree of access to your organisation’s data.
It’s difficult for your own internal security policies to ensure that contractors, or their employees, will not cause a data breach that then leads to a compromise in the network of all the organisations they are contracted with.
Steps to Prevent Insider Threats and Data Breaches
According to a 2016 report on cyber-crime by consulting agency PWC, almost 50% of organisations thought that cyber-crime would come from external sources, but in fact over 55% of the cyber-crimes reported were committed by internal actors. It’s clear that insider threats will continue to be a challenge for business. Here are six tips to protect against security violations and data breaches from insider threats:
- Training is central to keeping risks from negligent employees at bay. Make sure that all employees are trained on the best practices to use for data security. All employees should also understand that data security is part of everyone’s job. Help your employees be safe by designing your IT systems to include mandatory quarterly password changes. Encourage employees to never download work related data or log on to networks from personal devices or unsecured Wi-Fi networks.
- Strict data policies are needed to ensure that you are securing your company’s intellectual property and sensitive data. Review data policies with all new hires, so that the moment someone is on-board they are aware of the protocols.
- De-authorise ex-employees immediately. When an employee leaves ensure that your IT department change computer and account passwords. You should also inform third party services of the employee’s termination so they can de-authorise their account too.
- Ban working on personal devices, as this is bad practice. In this day and age you can avoid this by investing in more storage, which is now available cheaply. Departing employees should not have any company data on personal devices. Make sure your HR department checks whether ex-employees have company data on their personal computers, tablets, flash drives or smartphone.
- Regularly review employee access. If there’s no need for an employee to access an account, revoke their permission. You should also consider restricting remote login applications and cloud storage applications.
- Use monitoring technology. Take advantage of user monitoring technology and make your employees aware that monitoring is taking place. If an employee knows that policy violations are being monitored, they’ll be much less likely to copy files, email information outside of the company, or print confidential data. User activity monitoring is one of the best ways that companies can utilise following security violations to figure out what happened and who it can be traced to.