The incidents in information security might occur due to the fault of the most respectable employees, according to Jorina van Rensburg, Managing Director at Condyn.
We have been working on the development of corporate systems to prevent information leakage – DLP (Data Loss Prevention) – for more than 12 years. And employees may not be willing to make some extra money illegally, to take revenge on someone, to access the client base to start their own business. The reasons why they fall prey to data breach and further suspicion of malicious intent are the neglect of information security rules, excessive trust in colleagues’ integrity and mere recklessness.
According to the Intel Security study, slightly more than half of information leaks take place due to outsider attacks, while 43% of troubles are caused by the employees. Intruders usually look for information about clients (34%), while employees get responsible for leaking data about their colleagues, less often exposing the client base (25%). Statistics show that insider information loss happens unintentionally more than often.
The motives of employees who leak confidential data deliberately are understandable – revenge or profit. When it comes to respectable employees, it turns out to be more complicated. Having analysed the incidents, we came to the conclusion that all “good” employees, who cause trouble, can be divided into three groups.
Innocent victims
This group includes unsuspecting employees intentionally framed by one of the colleagues.
Information security specialists helped our client to discover important documents stored locally on the disk by one of the employees who wasn’t allowed to access them. This is a serious violation of the internal regulations which requires urgent investigation. The employee’s computer appeared to have some software installed for remote control which he simply didn’t need in his work. The investigation revealed that the employee suspected of violations had no clue about the files stored on his computer. The actual culprit was a technical specialist who used the computer of the employee as a temporary network storage before transferring confidential data to a third party.
Happy-go-lucky
The group of employees who become the perpetrators of leaks due to negligence, ignorance or naivety.
A total of 44,000 customers of Federal Deposit Insurance Corp. (FDIC) became victims of personal information leakage due to the technical incompetence of the company’s employee who uploaded confidential data to a personal flash drive. Later it turned out that the information wasn’t used outside the organisation, however, with the help of special software FDIC was able to track the uploading of corporate information.
According to the Wombat Security 2017 State of the Phish Report, 28% of employed UK population and 35% of the employed in USA do not know what “phishing” is. In January 2017, a leak of personal data of 4,000 employees happened due to the fault of the colleagues who followed the link with the requirement to fill in the necessary tax forms. The letter which was sent on behalf of the CEO, appeared to be a phishing bait.
Skeletons in the closet
Such employees are harmless until something provokes them. Their personal lives hide some ‘hook’ which attackers might want to benefit from. It can be anything from debts, drugs or alcohol addiction to adultery or other private details. Information security specialists put such employees in the risk group, because criminals can use their secrets to blackmail members of staff.
Incidents that occur due to ‘innocent victims’ can be detected (and even prevented) only by information security specialists. The ‘victim’, besides being unaware of what is going on, is ineffective in finding and neutralising the attacker due to the lack of technical skills and professional knowledge. Employees with ‘skeletons in the closet’ should be controlled permanently. IS specialists tend to react promptly to the incidents originated by this type of employee. The information leakage caused by employees from the second group – happy-go-lucky – happen more often because of their criminal carelessness and negligent attitude towards the basic set of rules.
Let us give some examples:
All mine is yours
Information security specialists detected the account activity on the computer of an employee who was on vacation and didn’t have to show up even remotely. It turned out that before the vacation he delegated all the passwords to his colleague so that he wouldn’t be disturbed with constant inquiries. The company’s routine forbade access sharing. The employee’s computer kept confidential information which in case of leakage would lead to serious financial and reputational loss. The company managed to avoid the data breach, though the incautious employee was warned about possible threats and instructed.
Innocent request for technical assistance
Which corporate information is kept on the computer of which employee – you can learn it even by accident. For example, thanks to an email sent by some employee while asking for technical assistance. According to the Winnipeg Free Press, the leaked data of 3,700 employees was discovered when one of the colleagues sent the email containing the information while making a request for technical assistance.
Force majeure
Whitehead Nursing Home employee not only survived the burglary and lost valuable belongings, but also became the reason why his employer paid 15,000 pounds fine. That day when he took the corporate laptop with unprotected information home his house was robbed. According to the BBC News, confidentiality of the data referring to 46 employees and 29 patients was violated.
According to the SolarWinds survey, the majority of unintentional info breaches occur due to phishing, copying data to unprotected devices, loss of storage devices or using personal hard drives, accidental deletion or modification of information, use of corporate passwords outside the internal network, neglect of protection systems updating, incorrect configuration. According to the survey among federal agencies conducted in 2017, there was an increase in deliberate insider leaks – 29% vs 22% in 2016. Nevertheless, 44% of respondents indicated that unintentional leaks are the main threat to information security.