Stop Malware Before Data Breaches Damage Your Business
Data breaches carried out by malicious insiders may be uncommon, but the damage they wreak can be catastrophic if detected too late
This can certainly be true if someone tries to violate access policies. However, in the breaches she has analyzed, Cappelli said, insiders stealing IP are typically after things they have been working on as they prepare to walk out the door for a new job.
“They are typically scientists, programmers [and] engineers, although about 29 percent of them were salespeople who stole customer information,” she said. “But most of them are technical people … who steal what they work on. So, ‘I’m a scientist, I’ve been working on these chemical formulas … I’m a programmer, I’ve been working on this source code,’ and that’s what they tend to steal. They typically do this using authorised access, during normal working hours, at work.”
Most steal the information as they are leaving, within 30 days of their resignation, Cappelli said.
“If you know this person’s resigned, look back 30 days and look at what have they been putting on removable media,” she said. “Look in your e-mail logs and see what [he or she has] been emailing outside of the network, and make sure that you don’t see anything in there that indicates that they may be stealing your IP.”
Fraudsters recruited by outsiders
Fraud cases are typically carried out by employees who stay at the company, as opposed to someone who has been fired or is leaving, she said. These people are typically recruited by outsiders to steal or modify information they have access to for pay, and often hold low-level jobs such as data entry, she added.
The good news, if it can be called that, is that most data breaches involving insiders are not malicious at all. In fact, a November survey of 305 IT decision makers by Forrester Research found that roughly 23 percent had experienced a data leak in the last two years caused by an employee accident, such as a lost smartphone. Meanwhile, only about 10 percent said an employee, customer service representative or business partner stole information or abused access privileges.
“Most insider data breaches are in some way related to a lack of awareness on the part of the employee responsible for the breach,” said Mike Spinney, senior privacy analyst at the Ponemon Institute. “They either did something they didn’t know was risky behavior, violated a policy they weren’t aware of or lacked simple vigilance. Certainly there is always an element of malicious behavior, but for the most part folks are simply doing things without fully comprehending the potential risk.”
Though he eschews the term “insider threat” as being overhyped, Forrester Research analyst Andrew Jaquith said companies need to begin their security strategy by identifying the most valuable data, creating a list of data security risks and examining the balance between corporate policy and compliance.
“Our advice, generally, is that companies need to think holistically about the range of risks to their data, whether they are to ‘custodial’ data like [Social Security numbers] or credit card numbers, or to corporate secrets,” Jaquith said. “The approaches that are needed to secure each are usually very different. Technology can help with the accidental stuff—but it’s harder with malicious cases.”