While many data breaches in 2015 were carried out by anonymous hackers, many of the most dangerous one’s were conducted by employees from inside the company, not an uncommon occurrence these days.
Fact be told, the majority of data breaches are caused by insiders, with a recent report by Baker & Hostetler LLP suggesting that around 36% of problems occur due to employee negligence or human error, and another 16% happening through insider theft. Only 22% actually occurs from outside theft, with the rest divided between malware and phishing attacks, which often use insiders to infiltrate an organization.
This year’s insider data breaches varied from international incidents to simply a small-time breach affecting a select number of people. But every event on the spectrum of insider attacks can teach companies a few important ways to identify and mitigate them in 2016.
The most headline-worthy cyberattack this year occurred at Ashley Madison, the website for married people to pursue affairs. Not only was Ashley Madison an insider job, but it was a solo insider job. In other words, all it took to cause the massive scandal was a single ex-employee.
This particular employee is alleged to be a female, and dissatisfaction with the company is what caused her to do what she did. This case highlights an important lesson: keep employees happy. An insider can easily access what even the best hackers would have to truly work to get. So disgruntled, mistreated, underpaid employees are just breeding grounds for future security thefts.
One of the biggest causes of a data breach is authorized users accessing unauthorized information they are prohibited from seeing.
In three separate cases this year, an employee not permitted to examine certain records opened highly personal and confidential files with information that, if released, would have serious ramifications.
A pharmacy employee at California Pacific Medical Center accessed 844 patient records without business purpose. The same thing happened at University of California Irvine Medical Center just a few months later. And an employee of Golden 1 Credit Union in Los Angeles, California, “engaged in unauthorized activity involving member account information.”
The frequency of this type of illegitimate activity proves the importance of limiting the number of employees with access to sensitive information to only the most trusted and necessary workers. This helps prevent breaches of this type from occurring and encourages moral behavior within a company.
A large and rather embarrassing hack from 2015 was the UCLA Health leak of 4.5 million records. This hack released patient names, addresses, Social Security numbers and medical data. Although the attack was orchestrated by an outside group, UCLA Health did not encrypt the compromised files. This is a prime example of insider negligence causing a breach. The organization, which runs four hospitals in the Los Angeles area, confirmed the data was not encrypted, but said there was no evidence data was taken. However, unencrypted data can be much more easily accessed and stolen than protected data.
When most people think of inside threats, they think of hackers and attackers being motivated by malicious intent. Similar to the Ashley Madison case, a few attacks this year were carried out by attackers with intentions to use the stolen data for pernicious purposes.
Twin brothers Muneeb and Sohaib Akhter were recently convicted of taking part in various computer hacking schemes that targeted the U.S. State Department. Sohaib used his contract position with the state department to steal passport and visa information and other sensitive data from the agency’s system. Together with the credit card and personal information of consumers stolen from a cosmetic company’s website in 2014, the brothers sold the data to the black market.
In a smaller case, a CVS pharmacy technician in Imperial Beach, Calif., stole 100 customer records to help her property manager steal credit card information. This plot was clearly a circumstance of using personal information for fraudulent purposes. Although it was on a much smaller scale than the State Department scandal, it still negatively affected customers and added to the narrative of increasing insider attacks.
What Companies Can Do
A company can take many proactive approaches to protect itself from insider threats:
- Limit the people who have access to sensitive data.
- Encrypt data and implement cybersecurity tools.
- Train employees about suspicious malware and other cyber activity.
- Take steps to ensure that former employees cannot still access information.
- Take advantage of user behavior analytic tools that can help you detect insider threats by showing who is accessing data and who most likely poses a risk.
It’s important to take steps to protect your business from breaches, but if you only focus on outside threats, you are ignoring half the problem.