Colossal data breaches have grabbed the nation’s headlines for the past couple of years. Each incident prompts solemn corporate pledges to do everything possible that would prevent its future reoccurrence.
However, the cycle of alarm, dismay and reassurance, along with the hasty measures that typically follow, are now almost ritual. The response to violations of data formerly considered secure has morphed from shock to shrug. Attacks on institutional and corporate databases have become the new normal. And a generation of workers accustomed to information sharing has grown numb to its negative consequences.
Most of the high-profile attacks on corporate data centers and institutional networks have originated outside of the victimized organizations — in many cases from halfway around the world. But the network openings that allow outside cyber attackers to burrow in, infect databases and potentially take down an organization’s file servers, overwhelmingly originate with trusted insiders.
The most fundamental element of threat is deeply human.
In some cases, those insiders are driven by malicious intent — the desire to enrich themselves through the sale of sensitive data or to retaliate for a perceived slight or mistreatment. There are also cases where a company’s third-party contractors, vendors or temporary workers — essentially privileged users — have been responsible for their client’s network breaches, either through malice or by accident.
However, according to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those network openings were created innocently through accidental or inadvertent behavior by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task like taking files home to work on in their own spare time.
When it comes to sensitive health-care data, according to the U.S. Department of Health and Human Services Office for Civil Rights, the Top 5 breaches for the first few months of 2016 didn’t even involve malicious IT hacking. Instead, theft, loss, improper disposal and unauthorized email access or disclosure were behind the largest incidents in 2016.
There are three types of risky insider behavior, each requiring a different approach:
Malicious: Malicious insider behavior combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated.
Negligent: Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.
Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones. According to Verizon’s Data Breaches Incident report, accidents accounted for almost 30 percent of the information security incidents in 2015.
A loyal employee’s weekend work on a confidential company document downloaded through their local Starbucks’ Wi-Fi can expose the user, as well as their employer, to anyone within range who wants to piggyback on the employee’s signature and gain access to sensitive files. The same applies to moving data over consumer-grade FTP services, responding to authentic-looking phishing messages, careless password management, misplacing devices containing privileged information, visiting an infected website or opening a Trojan horse — a virus-infected attachment to a seemingly normal-looking email. A typical accidental breach might involve misspelling an email address which, combined with a PC’s autocomplete feature, ends up sending a message and its attachments to the wrong person.
Well-intended admonitions to employees urging them to take security seriously by creating strong passwords, to study policy documents and to otherwise do the right things, are too often given lip service.
All of that has happened — and it continues happening with such great frequency that it has largely resulted in public fatigue over data leaks. That tedium, however, is not shared by information security professionals, for whom popular indifference only compounds an already thorny problem — one that grows more challenging each year. Frequent, well-intended admonitions to employees urging them to take security seriously by creating strong passwords, to study policy documents and to otherwise do the right things, are too often given lip service or overly broad interpretations.
Boilerplate email disclaimers warning recipients to immediately delete the message if he or she is not the intended recipient are routinely ignored. Lists of hard-to-remember and frequently changed passwords are typically written down and kept within easy reach of the person’s computer. The distinctions between work and personal information kept on employee mobile devices, as well as employer policies, are increasingly hazy.
Bring Your Own Device (BYOD) policies create a persistent challenge. Social media use has extended from individuals communicating with one another to organizations interacting with customers, investors and other constituents on a real-time basis. Yet even information about employees gleaned from personal social media sites can give a patient hacker the ammunition needed to plan an attack. An Accenture paper on social media quotes the head of privacy and information management at a major bank who says, "The biggest risk for me is our employees disclosing information about our clients on social media."
Hard data on the incidence of non-malicious disclosures by insiders is difficult to come by, largely because much of it never gets reported. We suspect the main reason is that in many cases the employee’s inadvertent disclosure — although often a clear breach of written policy — never resulted in any harm. Most people who unexpectedly receive an email with a long file attachment containing other people’s financial, health or legal information would probably be puzzled and recognize that it was sent in error. So the data, however sensitive, would never amount to anything more than a curiosity.
The surreptitious online transfer of files, including credit card numbers and corroborating information, is a robust business valued at $120 billion dollars a year.
But those are not the examples companies typically worry about. The cases where unintended breaches really matter are those where a security gap — created either by trickery or mistake — is recognized and exploited by someone bent on monetizing the proprietary information they have been able to capture, either through sales or by ransom. Wholesale opportunities to sell stolen data are available worldwide through a dark network of shady internet sites. The surreptitious online transfer of files, including credit card numbers and corroborating information, is a robust business valued at $120 billion dollars a year, according to CreditCards.com.
The Human Element
Combatting the wholesale theft of data by limiting the types of inadvertent actions which could lead to its misappropriation should be a priority for every organization. Investment in technologies that can help to prevent intrusions and protect data from attackers — and there are many such options available — is essential. Management controls, including segregation of duties, periodic reassessment of privileges and audits, are also important.
But the most fundamental element of threat is deeply human. It starts with the proper vetting of employees to look for signs that the individual has not, in the past, been a responsible steward of information entrusted to them. Applicants whose pasts have included questions over managing information should not be brought onboard.
Even so, the temptation to categorize job applicants as either good or bad is naive. While people who have shown themselves to be untrustworthy in the past would almost certainly make poor choices, even good people have the capacity to willfully misuse their data privileges. Particularly when someone feels as though they have been mistreated, disrespected or abused, an otherwise trustworthy person could develop the motivation as well as the ability to retaliate. So an important part of the solution is to avoid putting employees into situations that are likely to undermine their trust and engender resentment.
The Trust Factor
In fact, cultivating a culture of trust is likely to be the single most valuable management step in safeguarding an organization’s information assets. After new employees have been satisfactorily screened, continue the trust-building process through onboarding by equipping them with the knowledge and skills required of trusted insiders. Expectations of trustworthy behavior — and the consequences of noncompliance — should be made explicit from the outset. Over time, trust should remain an important factor in periodic performance reviews, including the provision of mechanisms for anonymously reporting suspicious workplace behavior.
Above all, a culture of trust built on shared values, ethical behavior and truth begins at the top of any organization. The conduct of senior management sets a tone that reverberates from the C-suite to the shop floor. Having a culture of trust affects more than just information security; it is also fundamental to the organization’s prospects for future success.
Steve Durbin is managing director with the Information Security Forum. His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. He was formerly a Gartner analyst. Reach him @stevedurbin.
This article originally appeared on Recode.net.