Research has indicated that the majority of information leaks or information losses a company suffers are caused by employees that have no idea they are doing anything wrong, or in the process of trying to get their job done, intentionally flout data security policies.
Then there are the instances where an employee intentionally distributes or destroys information that is critical to the organisation. This is a different kind of threat in that it is intentional and with the intent of causing the maximum amount of damage. These individuals are likely privy to the organisations most valuable information and are aware of its vulnerabilities.
Much like the motivation for an employee to commit fraud, there are three main areas of deliberate insider threats:
· Theft for financial gain
· Theft to gain to gain a competitive advantage, sometimes called corporate espionage
· System or data sabotage, usually to “get revenge” or gain attention
With the global recession seemingly continuing, employees are finding it hard to make ends meet. This makes them vulnerable when approached by outsiders to supply information for a cash reward. The types of information sought after by criminals may be of a personal nature such as bank account details, medical history or contact information. They may use this information themselves to open accounts, take loans or apply for replacements bank cards or for identity documents to validate their pseudo identity. If not for their own use, this type of information is traded over the internet in bulk and distributed down the supply chain.
Other types of sensitive information may be specifically requested or could be valuable to an employee in their new position at another firm. Although the term “corporate espionage” reminds us of scenes from Mission Impossible movies, the reality is that the data in demand is often readily available to employees on a day to day basis. With web based email catering for extremely large files and portable storage devices becoming commonplace, the movement of complete customer or product data sets, amounting to hundreds of thousands of records, is made simple.
So let us assume the above is not a concern and all the checks and balances are in place to prevent information from moving outside of the organisation. The insider threat still exists in the form of system or data sabotage. We rely on the data within our systems and the systems themselves to be correct and running 99.99% of the time. The same individuals that we trust to make this happen are able to destroy or shutdown, albeit temporarily, these very structures. The result is revenue loss and depending on the type of business, permanent brand damage.
Consider the following scenario: A senior programmer at an airline company is disgruntled and subsequently suspended. Before his suspension he ensures through the placement of specific code in the airlines system that a username and password is always available even when thought to be disabled. Along with this he is aware that controls governing remote access to the network are poor and all that is required is the username and password of a colleague to ensure he can log into the system from home. The possibilities of what can be accomplished are now endless. The obvious and immediate reaction would be to bring the system down and cause revenue loss and minor brand damage through flight delays. The more sinister and premeditated approach would be to alter the strict maintenance cycles on critical aeroplane parts. If the changes are not detected it could result in a disaster. If they are, it would send panic through the organisation resulting in the data itself not being trusted, and if the news were to escape, permanent damage to the brand.
So what can be done to help mitigate these risks? First and foremost the risks need to be identified and assessed on an annual basis. Failure to do this could result in the company itself being accused of wilful neglect. This type of risk assessment would cover aspects such as:
· Policies and procedures in place for accessing information;
· Hiring practices including thorough background checks;
· Ensuring sensitive information is encrypted when stored and transmitted;
· Blocking the use of web based email and storage; and
· Disabling the use of portable storage devices
All of these aspects are critical when dealing with insider threats.