When we think about data theft, we usually imagine highly trained hackers who make millions out of stealing and monetising our valuable business data. We also picture hacktivists who seek notoriety out of bringing down websites and ransoming stolen data. The reality is much simpler, and in turn more worrying, because it’s the people on our payroll that pose the biggest risk to the loss of sensitive business data –and it’s not just an Edward Snowden that you need to worry about.
Unfortunately, every organisation has at least one insider threat with the potential to cause significant damage to their business. According to the Verizon’s most recent Data Breach Investigations Report, the most common scenario at 60% of insider breaches involves an end-user leaving with data in the hope of converting it to cash somewhere down the line. In 71% of cases, personal information and medical records are targeted for financial crimes, such as identity theft or tax-return fraud, and occasionally just for gossip value.
While these insider threats can be intentionally malicious, most of the time they’re just careless. A recent survey by Imperva revealed that 79% of individuals believe their organisation doesn’t have data removal policies for when an employee departs, and 85% say they often store business data in home computers or personal mobile devices.
Heathrow International Airport found out how dangerous this level of carelessness can be when a USB was found on the streets of London with all the airport’s security data. From early reports, it appears likely that the USB drive was accidentally dropped by someone with genuine access to it or deliberately dropped by someone with bad intel.
With such clear and present risks, how do we possibly protect ourselves against the people we’re supposed to trust?
Before you hire an employee
One thing we know about human behaviour is that it tends to repeat itself. If an individual has been let go from a previous position for careless, unethical, or malicious breaches of sensitive data, a robust prescreening and background check will almost always reveal this to potential new employers. Your best bet for avoiding the worst-case scenarios of insider breaches is to avoid hiring an individual with a history of this kind of behaviour.
You should also develop a clear policy for data access privileges for your employees so they understand from day one their responsibilities for keeping your sensitive business data safe, and the ramifications of any careless or malicious misuse of that data.
After you hire an employee
In the age of machine learning and AI, security systems now have the ability to monitor user access to internal business data to spot anomalies and prevent careless or malicious behaviour. In much the same way the bank will monitor spending patterns to pick out fraudulent transactions, a contemporary security solution should be able to establish a baseline of user access behaviour so that anything untoward stands out.