Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Data Breaches by Employees<br><b><i><font="-1">How to Keep Your Company Out of the Headlines</b></i></font>

By Sam Chi
March 02, 2017

For many of us, the term “data breach” conjures up images of a shadowy character in a dark hoodie — a nefarious criminal. But the more we understand about how data breach incidents originate and propagate, the more likely we are to shift focus from outsider hackers to insider (employee) threats. Insider threats can be malicious, but often they are accidental. Rather than a shadowy scoundrel, your greater security risk might very well be Alice in the accounting department, who absentmindedly leaves her laptop on the bus.

No organization, including tech and social media companies, is immune to a data breach resulting from ignorant or malicious behavior of employees or business partners. Earlier in 2016, a payroll department employee at Snapchat received a spear-phishing email that appeared to be from Snapchat Chief Executive Evan Spiegel. The employee replied to the email, inadvertently sending sensitive personal information on about 700 current and former workers to an outside party.

In order to avoid being the subject of the next data breach story in the headlines, corporate leaders must take three key steps. First, they must understand the nature of insider threats. With that knowledge, they must support policies and procedures to deter and detect insider threats. Most importantly, they must actively build a culture of awareness and care on the part of employees to protect and secure proprietary enterprise data.

Corporate leaders must understand the nature of insider threats and play a critical role in building a culture of awareness and care on the part of employees to protect and secure proprietary enterprise data. Developing such strategies at the C-level ensures that every employee in every business unit understands the risks, and that data security principles and practices are uniform across the organization, not just the onus of IT and senior knowledge workers.

1. Recognize Potential Insider Threats in Your Organization

According to the 2016 Data Security Incident Response Report issued by Baker & Hostetler LLP, approximately 37% of security incidents arise due to employee negligence or human error, with another 31% stemming from phishing/hacking/malware attacks.

An insider is someone who has authorized access to an organization's network, system or data; this could be an on-site or remote employee, business partner or contract worker. There are three categories of insiders who present the greatest risk of breach, outlined below.

Exploited Insider

An exploited insider may be a victim of phishing, baiting or other scams. This is typically an innocent user, as in the Snapchat case, who is misled into providing data or passwords or who is enticed to click a link or visit a website that may install malware such as keystroke loggers.

Careless Insider

A careless insider may change or delete data through lack of attention to detail or policy. These users, as the name suggests, simply make thoughtless errors without awareness of the impact. Examples of careless insiders include moving data to unprotected locations or storing data via unsecured tools, such as flash drives, Dropbox, or even moving company data through personal email accounts.

Not surprisingly, a survey of over 500 cybersecurity professionals by Crowd Research Partners — Spotlight Report on Insider Threats — notes that privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations (60%), followed by contractors and consultants (57%), along with regular employees (51%).

Malicious Insider

A malicious insider is someone who intentionally destroys or leaks data, often with nefarious goals:

  • Monetizing sensitive data, for example, selling customer lists or financial plans.
  • Fraud: A perpetrator of fraud engages in activities that are designed to defraud, misappropriate property or funds or circumvent the regulations, law or policies of a company.
  • Sabotage or Revenge: For example, an angry former employee seeks to take out frustrations on an old boss or others who wronged him or her during tenure at the organization.
  • Whistleblowing: Insiders revealing information or documents to support accusations of internal mismanagement or threats of retaliation potentially resulting in internal investigations or litigation.
  • “Hacktivism”: The practice of loosely organized hacker groups that attack government or corporate entities to draw attention to social or political causes.

2. Prioritize the Use Of New Tools and Technology to Reduce Insider Threats

While the proliferation of mobile devices, cloud applications and portable data technologies may increase the general risk of insider attacks, the good news is that there has been a corresponding rise in the emergence of tools and technologies to help monitor activity to prevent or identify insider threats. Boardroom discussions increasingly focus — as they should — on three primary approaches to avoid, identify and address the impact of insider threats: deterrence, detection and analysis.

Threat Deterrence

Under the category of deterrence, some of the key procedural and technology controls that can be utilized include identity management, access control, encryption and security policies. The goal here is to prevent a breach before it happens.

First and foremost, every organization should inventory and monitor all assets provided to employees and contractors. This allows an organization to know where its data is, who is using a given device, ensure each devices is returned at the point of separation and prevent assets from falling into the wrong hands.

Every employee and contractor should have unique login credentials. This prevents users from employing a generic login to perform malicious or careless acts, and employers can trace the source of a threat or breach back to the source.

Whole disk encryption on all devices ensures that any laptop or device that is lost or stolen will not allow those who possess the device to access sensitive or proprietary data contained therein. Mobile devices should employ mobile device management applications that allow for encryption of company data and remote wipe of lost/stolen devices.

An organization should only provide access to systems and applications that are necessary for an employee/contractor to perform his/her specific function and complete assigned tasks.

Threat Detection

Detection involves processes and tools that allow information security teams to monitor login activity, flag unusual activity and identify intrusion. Data loss prevention (DLP) tools and forensic tools similar to those used in the e-discovery process can also be employed to identify bad actors or those who have improperly stored or transmitted proprietary data.

DLP tools allow for the creation of rules as to how an organization expects data to be handled, communicated and stored. If a user goes outside the bounds of these rules, data is quarantined and an alert is generated that can be reviewed by IT or information security teams.

Forensic tools and natural language processing tools can contribute to more effective approaches to identifying insider threats or even curbing opportunities for related employee action. These tools are also used during the e-discovery process or as part of internal investigations that leverage the common language of data and systems and consider a number of varied techniques from different disciplines when investigating an incident.

Threat Analysis

Analysis involves the use of tools that analyze traffic patterns, active processes, email patterns or content to tracking file movement across the network. This is often a key element in successful enterprise information security strategies. Threat analytics adds a measure of safety with tools for employee monitoring, Web filtering, mobile monitoring and laptop anti-theft tools, among others.

3. Increase Efforts on Security Education and Cultural Change

Like most solutions to complex enterprise challenges, there is a process component to mitigating insider threats. As in most cases, technology goes hand-in-hand with education and culture, and success is built over time by raising awareness among all employees and educating them on security threats as well as expectations around recognizing and preventing such incidents.

The Insider Threat Spotlight Report referenced earlier revealed that the single largest factor in the rise of insider attacks is a lack of employee training and awareness (62%). Insufficient data protection strategies and solutions (57%) and the proliferation of sensitive data moving outside the firewall on mobile devices (54%) are again named as sources for why insider threats are on the rise.

Understanding where threats arise and educating employees on how to avoid common pitfalls will result in a reduction in the number of exploited and careless insiders, which have traditionally been the largest segments of insider threats. Education involves ongoing training, reinforcement of policy and proper procedures, as well as efforts to develop a culture of good data stewardship.

Insider Threat Reduction Starts at the Top

Cyber threats come in many forms, and the insider threat posed by employees, contractors and partners is one that organizations face most frequently. Protection against insider threats belongs not only to IT and security management, but to the entire management team, across all operational areas of a company or organization. Security tools and technologies are constantly improving in support of these efforts, but in the end, successful reduction of insider threat risk hinges on the ability of senior leadership to develop standardized processes and provide education and communication across the enterprise. By example and through education, C-suite executives can create a culture of trusted insiders who take responsibility for secure data management to reduce insider threats.

*****
Sam Chi
is Senior Vice President, Discovery Services at FRONTEO. Reach him at [email protected].

For many of us, the term “data breach” conjures up images of a shadowy character in a dark hoodie — a nefarious criminal. But the more we understand about how data breach incidents originate and propagate, the more likely we are to shift focus from outsider hackers to insider (employee) threats. Insider threats can be malicious, but often they are accidental. Rather than a shadowy scoundrel, your greater security risk might very well be Alice in the accounting department, who absentmindedly leaves her laptop on the bus.

No organization, including tech and social media companies, is immune to a data breach resulting from ignorant or malicious behavior of employees or business partners. Earlier in 2016, a payroll department employee at Snapchat received a spear-phishing email that appeared to be from Snapchat Chief Executive Evan Spiegel. The employee replied to the email, inadvertently sending sensitive personal information on about 700 current and former workers to an outside party.

In order to avoid being the subject of the next data breach story in the headlines, corporate leaders must take three key steps. First, they must understand the nature of insider threats. With that knowledge, they must support policies and procedures to deter and detect insider threats. Most importantly, they must actively build a culture of awareness and care on the part of employees to protect and secure proprietary enterprise data.

Corporate leaders must understand the nature of insider threats and play a critical role in building a culture of awareness and care on the part of employees to protect and secure proprietary enterprise data. Developing such strategies at the C-level ensures that every employee in every business unit understands the risks, and that data security principles and practices are uniform across the organization, not just the onus of IT and senior knowledge workers.

1. Recognize Potential Insider Threats in Your Organization

According to the 2016 Data Security Incident Response Report issued by Baker & Hostetler LLP, approximately 37% of security incidents arise due to employee negligence or human error, with another 31% stemming from phishing/hacking/malware attacks.

An insider is someone who has authorized access to an organization's network, system or data; this could be an on-site or remote employee, business partner or contract worker. There are three categories of insiders who present the greatest risk of breach, outlined below.

Exploited Insider

An exploited insider may be a victim of phishing, baiting or other scams. This is typically an innocent user, as in the Snapchat case, who is misled into providing data or passwords or who is enticed to click a link or visit a website that may install malware such as keystroke loggers.

Careless Insider

A careless insider may change or delete data through lack of attention to detail or policy. These users, as the name suggests, simply make thoughtless errors without awareness of the impact. Examples of careless insiders include moving data to unprotected locations or storing data via unsecured tools, such as flash drives, Dropbox, or even moving company data through personal email accounts.

Not surprisingly, a survey of over 500 cybersecurity professionals by Crowd Research Partners — Spotlight Report on Insider Threats — notes that privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations (60%), followed by contractors and consultants (57%), along with regular employees (51%).

Malicious Insider

A malicious insider is someone who intentionally destroys or leaks data, often with nefarious goals:

  • Monetizing sensitive data, for example, selling customer lists or financial plans.
  • Fraud: A perpetrator of fraud engages in activities that are designed to defraud, misappropriate property or funds or circumvent the regulations, law or policies of a company.
  • Sabotage or Revenge: For example, an angry former employee seeks to take out frustrations on an old boss or others who wronged him or her during tenure at the organization.
  • Whistleblowing: Insiders revealing information or documents to support accusations of internal mismanagement or threats of retaliation potentially resulting in internal investigations or litigation.
  • “Hacktivism”: The practice of loosely organized hacker groups that attack government or corporate entities to draw attention to social or political causes.

2. Prioritize the Use Of New Tools and Technology to Reduce Insider Threats

While the proliferation of mobile devices, cloud applications and portable data technologies may increase the general risk of insider attacks, the good news is that there has been a corresponding rise in the emergence of tools and technologies to help monitor activity to prevent or identify insider threats. Boardroom discussions increasingly focus — as they should — on three primary approaches to avoid, identify and address the impact of insider threats: deterrence, detection and analysis.

Threat Deterrence

Under the category of deterrence, some of the key procedural and technology controls that can be utilized include identity management, access control, encryption and security policies. The goal here is to prevent a breach before it happens.

First and foremost, every organization should inventory and monitor all assets provided to employees and contractors. This allows an organization to know where its data is, who is using a given device, ensure each devices is returned at the point of separation and prevent assets from falling into the wrong hands.

Every employee and contractor should have unique login credentials. This prevents users from employing a generic login to perform malicious or careless acts, and employers can trace the source of a threat or breach back to the source.

Whole disk encryption on all devices ensures that any laptop or device that is lost or stolen will not allow those who possess the device to access sensitive or proprietary data contained therein. Mobile devices should employ mobile device management applications that allow for encryption of company data and remote wipe of lost/stolen devices.

An organization should only provide access to systems and applications that are necessary for an employee/contractor to perform his/her specific function and complete assigned tasks.

Threat Detection

Detection involves processes and tools that allow information security teams to monitor login activity, flag unusual activity and identify intrusion. Data loss prevention (DLP) tools and forensic tools similar to those used in the e-discovery process can also be employed to identify bad actors or those who have improperly stored or transmitted proprietary data.

DLP tools allow for the creation of rules as to how an organization expects data to be handled, communicated and stored. If a user goes outside the bounds of these rules, data is quarantined and an alert is generated that can be reviewed by IT or information security teams.

Forensic tools and natural language processing tools can contribute to more effective approaches to identifying insider threats or even curbing opportunities for related employee action. These tools are also used during the e-discovery process or as part of internal investigations that leverage the common language of data and systems and consider a number of varied techniques from different disciplines when investigating an incident.

Threat Analysis

Analysis involves the use of tools that analyze traffic patterns, active processes, email patterns or content to tracking file movement across the network. This is often a key element in successful enterprise information security strategies. Threat analytics adds a measure of safety with tools for employee monitoring, Web filtering, mobile monitoring and laptop anti-theft tools, among others.

3. Increase Efforts on Security Education and Cultural Change

Like most solutions to complex enterprise challenges, there is a process component to mitigating insider threats. As in most cases, technology goes hand-in-hand with education and culture, and success is built over time by raising awareness among all employees and educating them on security threats as well as expectations around recognizing and preventing such incidents.

The Insider Threat Spotlight Report referenced earlier revealed that the single largest factor in the rise of insider attacks is a lack of employee training and awareness (62%). Insufficient data protection strategies and solutions (57%) and the proliferation of sensitive data moving outside the firewall on mobile devices (54%) are again named as sources for why insider threats are on the rise.

Understanding where threats arise and educating employees on how to avoid common pitfalls will result in a reduction in the number of exploited and careless insiders, which have traditionally been the largest segments of insider threats. Education involves ongoing training, reinforcement of policy and proper procedures, as well as efforts to develop a culture of good data stewardship.

Insider Threat Reduction Starts at the Top

Cyber threats come in many forms, and the insider threat posed by employees, contractors and partners is one that organizations face most frequently. Protection against insider threats belongs not only to IT and security management, but to the entire management team, across all operational areas of a company or organization. Security tools and technologies are constantly improving in support of these efforts, but in the end, successful reduction of insider threat risk hinges on the ability of senior leadership to develop standardized processes and provide education and communication across the enterprise. By example and through education, C-suite executives can create a culture of trusted insiders who take responsibility for secure data management to reduce insider threats.

*****
Sam Chi
is Senior Vice President, Discovery Services at FRONTEO. Reach him at [email protected].

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.