Jorina van Rensburg, Managing Director at Condyn, shares her insight into how to keep the people who drive your business on the right side of the road.
We have been working on the development of corporate systems to prevent information leakage – DLP (Data Loss Prevention) – for more than 12 years, and we have found that incidents in information security can occur due to the fault of the most respectable employees. This is not because employees are willing to make some extra money illegally, to take revenge on someone, or to access their employer’s client base to start their own business. The reasons why they fall prey to data breach and further suspicion of malicious intent are the neglect of information security rules, excessive trust in colleagues’ integrity and mere recklessness.
According to the Intel Security study, more than half of information leaks take place due to outsider attacks, while 43% of troubles are caused by the employees. Moreover, intruders usually look for information about clients (34%), while employees get responsible for leaking data about their colleagues, and less often is it about exposing their client base (25%). Statistics show that insider info loss happens unintentionally more often than not.
The motives of employees who leak confidential data deliberately are understandable – revenge or profit. When it comes to respectable employees, however, it turns out to be more complicated. Having analyzed the incidents, we came to the conclusion that all “good” employees, who cause trouble, can be divided into three groups.
“Statistics show that insider info loss happens unintentionally more often than not.” – Jorina van Rensburg, Condyn.
This group includes unsuspecting employees who are intentionally framed by one of their colleagues.
Information security specialists helped one of our clients to discover important documents stored locally on a disk by one of the employees who wasn’t allowed to access them. This was a serious violation of internal regulations which required urgent investigation. The employee’s computer appeared to have some software installed for remote control access which he simply didn’t need on his work. The investigation revealed that the employee who was suspected of violations had no clue about the files stored on his computer. The actual culprit was a technical specialist who used the employees computer as a temporary network storage before transferring confidential data to a third party.
The group of employees who become the perpetrators of leaks due to negligence, ignorance or naivety.
44,000 customers of Federal Deposit Insurance Corp. (FDIC) became victims of personal information leakage due to the technical incompetence of the company’s employee who uploaded confidential data to a personal flash drive. Later it turned out that the information wasn’t used outside the organization, however, with the help of special software FDIC was able to track the uploading of corporate information.
According to the Wombat Security 2017 State of the Phish Report, 28% of the employed UK population and 35% of the employed in USA do not know what “phishing” is. In January 2017, a leak of personal data of 4 000 employees happened due to the fault of the colleagues who followed the link with the requirement to fill in the necessary tax forms. The letter which was sent on behalf of the CEO, appeared to be a phishing bait.
3-Skeletons in the closet
Such employees are harmless until something provokes them. Their personal lives hide some “hook” which attackers might want to benefit from. It can be anything from debts, drugs or alcohol addiction to adultery or other private details. Information security specialists put such employees in the risk group, because criminals can use their secrets in order to blackmail members of staff.
Another example. For reasons unknown, the same suppliers were selected by the employees of some company, although the terms and conditions they offered were not the best ones. Information security specialists started with checking the activity of the procurement specialist. The employee was suspected of taking kickbacks but the surmise was negated. However, there was a thing which drew attention of the IS specialists. The correspondence between the girl, procurement specialist, and a male colleague from another department was observed. The sympathy was spotted between the employees. The girl was picking those suppliers from which her colleague received “bonuses”.
Incidents that occur due to “innocent victims” can be detected (and even prevented) only by information security specialists. The “victim”, besides being unaware of what is going on, is ineffective in finding and neutralizing the attacker due to the lack of technical skills and professional knowledge. Employees with “skeletons in the closet” should be controlled permanently. IS specialists tend to react promptly to the incidents originated by this type of employee. The information leakage caused by employees from the second group – happy-go-lucky – happen more often because of their criminal carelessness and negligent attitude towards the basic set of rules.
Let us give some examples:
a) All mine is yours
Information security specialists detected the account activity on the computer of an employee who at that time was on vacation and didn’t have to show up, not even remotely. It turned out that before his vacation that he delegated all the passwords to his colleague (“just in case”), so that he wouldn’t be disturbed with constant inquiries. However, the company’s routine forbade access sharing. The employee’s computer kept confidential information which, in the event of leakage, would lead to serious financial and reputational loss. The company managed to avoid the data breach, though the incautious employee was warned about possible threats and instructed about his future conduct.
b) Innocent request for technical assistance
Which corporate information is kept on the computer of which employee? You can learn this even by accident, for example, through an email sent by some employee while asking for technical assistance. According to the Winnipeg Free Press, the leaked data of 3 700 employees was discovered when one of the colleagues sent the email containing the information while making a request for technical assistance.
c) Force majeure
A Whitehead Nursing Home employee suffered a home burglary that caused his employer to pay a 15 000 pounds fine. He had taken his corporate laptop home, containing unprotected information, and this was stolen when his house was robbed. According to the BBC News, confidentiality of the data referring to 46 employees and 29 patients was violated.
According to the SolarWinds survey, the majority of unintentional info breaches occur due to phishing, copying data to unprotected devices, loss of storage devices or using personal hard drives, accidental deletion or modification of information, use of corporate passwords outside the internal network, neglect of protection systems updating, incorrect configuration. According to the survey among federal agencies conducted in 2017, there was an increase in deliberate insider leaks – 29% vs 22% in 2016. Nevertheless, 44% of respondents indicated that unintentional leaks are the main threat to information security.