Insider Threats

In this section:

Employee cybersecurity knowledge is a key component of your defense

62% of cybersecurity professionals feel vulnerable to insider threats51

Bottom line: It takes one inadvertent click to expose your entire network to vulnerabilities

In June 2015, an employee at an Australian grocery chain sent an e-mail to 1,000 customers. Just doing their job, right?

But that e-mail mistakenly included an Excel spreadsheet with customer information and redeemable codes for close to 8,000 gift cards.

The result: The company had to cancel over $1 million in gift cards. Worse: customers' email addresses and names were exposed by the breach.52

Sometimes, your own employees or contractors can pose risks every bit as great as outsiders. In fact, some 32% of respondents to a global survey called insider crimes a more costly or damaging hazard than outsider threats.53

Malicious insider threats may be an employee, contractor, or vendor motivated by politics, revenge, greed, or basic corporate espionage. Unintentional risks created inside your company tend to be mistakes, such as someone opening a spear phishing email, plugging in a thumb drive that hasn't been security screened, or falling victim to a clever bit of social engineering by a smooth-talking con artist.

The cold hard reality is too many executives haven't given insider threats a second thought. Despite their legal responsibility for security,54 many board members do not evaluate insider threat information. In this report, we highlight some of the most critical risks posed by insiders.

Malicious Insider Risks

No one could exactly put their finger on it, but there was something just a little, shall we say, shy about one of the network managers working at the regional headquarters of a state government agency. When his superiors eventually asked AT&T to investigate, their worst fears were confirmed. For months he had been quietly sifting through his company's official databases for embarrassing information about people who tormented him in high school and was using it to blackmail them.

Revenge. Disgruntled employees can be a greater than expected menace. In 2012, for example, a technician at an oil and gas firm disabled all of the company's servers by returning them to their original factory settings shortly after discovering that he was about to be fired. He was eventually sentenced to four years in Federal prison and forced to pay $528,000 in restitution and fines, but only after the damage was done — at least $1 million to recover lost data, lost staff time, and costs for restoring those servers.55

Money. Criminals will pay insiders handsomely for confidential data. In one heavily publicized 2011 incident, an employee at a major financial institution sold customer information including names, bank account numbers, and PIN codes to outside criminal groups who subsequently used it to commit $10 million worth of fraud.

Whistleblowers. According to Ethical Systems, an ethical standards research firm, most whistleblowers act because they felt supported by managers and coworkers; they believed something would be done; and they were able to report anonymously. But sometimes, it is about the money. In 2014, for example, an insider whistleblower at a leading U.S. bank received $64 million from the Federal government for providing information about questionable mortgage insurance practices that led to a $614 million settlement with the Department of Justice.56

Hacktivism. Politically-motivated security attacks generally originate with outsiders, but Chelsea (nee Bradley) Manning, the soldier who disclosed hundreds of thousands of sensitive government documents to activist organization WikiLeaks, proved that activist insiders can do even more harm.57

Espionage. Patriotism, rather than greed, can inspire insiders, too. In 2011, for instance, a research scientist at a global chemical manufacturer pled guilty to sending $300 million worth of trade secrets to recipients in his native country.58

Business Advantage. Employees looking for a head start at a new job often take customer records and intellectual property with them on their way out the door. In some studies, as many as one in four people have admitted that they would attempt to take data even though they know it's against the rules.59

Industry trends: Malicious insiders

Malicious insider threats impact every industry, but in different ways.

Financial services. Fraud is among the biggest insider risks faced by financial institutions. Employees at numerous firms have capitalized on poor security strategies to rob account holders and engage in insider trading. The consequences can be dire: Fraud contributed to 41% of credit union failures between 2004 and 2014.60

Manufacturing. Product designs, research and development projects, and other forms of intellectual property are tempting targets for ill-intentioned insiders. In one high-profile incident in 2013, a senior executive at a major computer chip manufacturer copied 8,148 files,61 including top-secret licensing documents, onto a laptop shortly before resigning to take a job at a competing firm. When he walked out the door, he took with him years of work and research, and damaged the company's competitive abilities.

Retail. Major retailers, long subject to basic merchandise theft, now struggle with cyberattacks from within. Many of the most publicized hacks have highlighted the difficulty retailers have securing their large number of employees, both full and part time.62

According to researchers, insider theft of IP is significant. The impact was over $100,000 per incident in 71% of insider theft cases and over $1 million per incident in 48% of cases of IP insider theft.63

Government. Government insiders also engage in embezzlement and other types of fraud. In one case, two employees of the New York State Department of Motor Vehicles collected $1 million selling counterfeit drivers licenses to buyers who included people on the TSA's “no-fly” list. In another case, the treasurer and comptroller of Dixon, Illinois was convicted in 2013 of siphoning an astounding $54 million from public coffers over a 22-year period.63

Unintentional Insider Risks

The email certainly looked like the real thing. Received by a boutique financial services firm with high net worth clients, it included a long-time customer's name and email address. It sounded legitimate, filled with personal details. So when the sender concluded the message by requesting a $100,000 transfer to an overseas account, it never occurred to anyone to question it.

Until the real client called two weeks later wondering why all that money was missing.

The thief used a combination of a disguised email address and data gleaned from the client's social media accounts. That turned an experienced investment manager into an unwitting accomplice to a six-figure heist.

Intentional insider attacks grab most of the headlines these days, but incidents involving unintentional insiders can be just as dangerous. When asked by security analyst firm The Ponemon Institute in a June 2015 survey to name their employer's biggest user-based threat, 41% of respondents named negligence versus just 30% who cited malicious attackers.65

Know the term:

Shadow IT

Third-party applications and other resources used by employees for business without IT department approval.

Multiplying risks

Ironically, many of the same technologies and practices organizations are using to raise productivity and strengthen customer relationships are giving employees new ways to compromise security as well.

Shadow IT. A typical knowledge worker in your firm just wants to get her job done. And sometimes, the best way to do that is using a cloud-based application. She just opens a browser window, logs on and gets to work. The problem is, there's an 8 in 10 chance the Software-as-a-Service application that makes her so productive was not approved for use by her company and IT has no awareness or control over the data stored there.66

Mobility. Employees who place sensitive, unencrypted information on their mobile devices expose organizations to multimillion dollar regulatory fines and even more costly harm to their customer loyalty, intellectual property, and public reputation. Bring Your Own Device policies are magnifying mobility-related risk by distributing data across a wider array of devices under less direct IT control. For example, lost or stolen laptops lead to 68% of the data breaches in the healthcare field.67

Social Media. Social media sites are powerful workplace tools for connecting with co- workers, business partners, and customers. Unfortunately, they're also convenient vehicles for accidentally broadcasting company secrets to a global audience. Spear phishing emails often contain personal information gleaned from social media postings.

Old-Fashioned Risks. Well-meaning insiders continue to compromise confidential data in more traditional ways. Employees still fall victim to phishing attacks, in which hackers use phony emails and websites to dupe unsuspecting people into exposing passwords, account numbers, and other valuable information. Some 31% of respondents to a recent cybercrime survey say their company fell victim to at least one phishing attack in 2014. Why? Nearly 40% of employees admit opening suspicious emails.67

Industry trends: Unintentional insiders

Every industry experiences negligent insider hazards, but the type and degree of those risks can vary significantly. While smaller companies often believe they have less exposure, data accumulation has become an issue for every business in every industry. Customer transaction records, including regulated credit card data, quickly grow into databases filled with hundreds or thousands of megabytes.

Healthcare. Two facts explain why hospitals and insurers are among the most common victims of unintentional insider security incidents: Their databases are packed with confidential and highly-regulated patient records, and the doctors and nurses accessing those records generally have little security know-how and even less time to acquire it. Medical data is highly prized by phishing attackers,70 who can use it to buy or steal drugs or file fraudulent insurance claims. Unlike credit card numbers, healthcare information is a durable resource. You can cancel a stolen credit card pretty easily, but canceling your medical history is nearly impossible.

That's why stolen health credentials can go for up to 50 times the value of a U.S. credit card number.71 That contributes to the high cost of a data breach for healthcare.

Financial Services. Financial institutions are on the receiving end of even more phishing attacks than healthcare providers. Financial and payment services accounted for 59% of phishing attacks in 2014.72 Lately, criminals have been more frequently targeting middle managers, who tend to be older and less tech- savvy than the Millennials working for them.73

Government. Federal, state, and local government agencies are especially avid users of contractors. The U.S. Department of Defense alone issued security clearances to almost a million people not on its full-time payroll as of 2014, according to a study by the U.S. Government Accountability Office.74

Technology Firms and Practices. Programmers often leave vulnerabilities in new code due to lack of review and testing time. Reused code from software built before more stringent security testing procedures can lead to trouble. IT administrators often create security gaps by creating software to perform jobs automatically, bypassing security controls, leaving default passwords on equipment, and deviating from security policies because of time constraints or taking short cuts.75

“Lifecycle support of systems and services is necessary. Find and get rid of old, unneeded systems.”

Rich Shaw, Jr.
AVP Network Services AT&T

Best practices: Malicious Insiders

Already a huge problem, malicious insiders will only grow more numerous and dangerous in the years ahead. These steps can help you combat them.

Strengthen Your Security Foundation. Focus your team on the basics first. A surprising number of organizations leave themselves exposed to internal threats simply by neglecting simple security practices. Cancel a departing contractor or employee's network privileges immediately after their last shift. Change passwords on systems the ex-worker accessed. Cancel their physical access cards or badges. Assign access rights to sensitive information on a need-to-know basis only.

Change passwords on systems the ex-worker accessed. Cancel their physical access cards or badges. Assign access rights to sensitive information on a need-to-know basis only.

Make Security Everyone's Responsibility. Employee training helps turn employees into a malicious insider early warning system. Adopt the “If you see something, say something,” attitude for users, and reinforce that everyone follows security procedures. This responsibility also applies to all executives and board members.

Break Down Organizational Silos. Demand security teams have full access to all data and records in all departments and divisions. Hackers count on bureaucratic inefficiency and barriers between groups. Take that advantage back from the malicious insiders. Break down barriers by forming joint task forces and increase the ability to identify and eliminated insider threats.

Invest in Behavioral Analytics. Big Data tools can help sniff out activities by malicious insiders. Monitor user IT activity, look for abnormal patterns, and investigate suspicious actions. An employee arriving two hours earlier than usual may not be a coincidence.

  • Strengthen Your Security Foundation
  • Make Security Everyone's Responsibility
  • Break Down Organizational Silos
  • Invest in Behavioral Analytics

Short-term access,
big-time risk

In June 2015 hackers stole data on 4.2 million current and former employees of the U.S. Office of Personnel Management. They hacked the system through a third-party that did background checks for the government.

Verify the security processes of your vendors.

While hiring temporary help can pay financial dividends those come with an unavoidable tradeoff in the form of heightened security dangers. Contract laborers can be an even bigger source of insider risk than full-time employees. Short-term workers typically have network accounts and access to sensitive data just like everyone else. But they're monitored less carefully, receive less security training, and often use devices brought from home or provided by a temp agency that are harder for IT to secure.

Looking ahead: New potential threats

Several emerging technologies and trends are expected to give malicious insiders dangerous new avenues of attack in the future:

The Internet of Things. An estimated 50 billion “things” ranging from sensors in cars and traffic lights to utility meters and household appliances will be sharing data over the Internet by 2020. Data may grow tenfold to 44ZB over that time.76 Those small sensors can be harder to secure than bigger, more sophisticated devices like PCs and tablets, and their growth will give malicious insiders a host of new ways to engage in sabotage and hacktivism. Bottom line: More but less complex devices mean more potential security gaps to manage.

Cloud Computing. Public cloud computing has become standard business practice for many businesses today, forcing you to rely on third party providers for part of your data security. The explosion of mobility and widespread use of personal devices for work asks you to balance the increased risk from user devices with the proven productivity benefits. Verify that all links to cloud storage and applications connect over secure and managed networks.

Mobility, and Bring Your Own Device (BYOD). The explosion of mobility and widespread use of personal devices for work will force you to balance the increased risk from all those devices with the proven productivity benefits.

Big Data. Although Big Data tools are already widely used within large organizations, the scale and number of Big Data deployments is set to grow enormously in coming years. Unfortunately, the tools those deployments rely on to distribute massive amounts of sensitive information have few built-in security safeguards, making them vulnerable to insider misuse.

Looking ahead: Emerging risks

Several developments over the years ahead will turn unintentional insiders into an even greater danger.

Extended Supply Chains. As businesses continually optimize their logistics, organizations are linking their internal business systems with their suppliers through the Internet. In the process, they're also putting more data in the hands of more insiders at more companies whose security practices and policies are beyond their IT departments' control.

Home Health Monitoring Devices. Home healthcare devices empower caregivers to shorten hospital stays and reduce emergency room visits by remotely monitoring recent patients and chronic disease sufferers. However, due to lack of understanding of proper security procedures, the user may create unintentional vulnerabilities when using these devices.

“There is a black market for data and information that leadership needs to be aware of. This underground trade has culminated into a large, adversarial economy. Cybersecurity strategy can't ignore this presence today or tomorrow as it will continue to grow.”

Jason Porter
VP of Security Solutions AT&T

Best practices: Unintentional insiders

In the case of unintentional insider risks, some of the most effective steps you can take involve changing policies and procedures rather than deploying new tools.

  • Train Your Users
  • Share the Security Responsibility
  • Employee Buy-in for Security Starts at the Top
  • Enforce the Rules
  • Don't Ban Shadow IT, Manage It
  • Evaluate and Monitor Your Suppliers

Train Your Users. Offering mandatory annual or semi-annual security awareness courses to teach people how to avoid phishing attacks and use social media safely, among other things, is a good starting point. And shockingly underutilized: Only half of the business and security executives surveyed in 2015 said they conduct periodic employee security training.77

Share the Security Responsibility. Follow the ISO 27001 recommendation to create a steering group that includes members from across your organization, including leadership. The “Information Security Management System Roles and Responsibilities”78 is a good place to start. The national Institute of Standards and Technology also provides best practice guidelines.

Employee Buy-in for Security Starts at the Top. CEOs, board members, and top executives should lead by example. They need to embrace the policies, talk about them in ways employees will understand, and practice what they preach.

Enforce the Rules. Accompany your security training efforts with prompt and highly visible enforcement of your security policies in the form of fines, terminations, or both. Rules and policies around system access and authentication are critical.

Don't Ban Shadow IT. Manage It. Find out why business units buy cloud services on their own, and find more secure ways to address those issues. If getting new solutions through IT takes too long, for example, streamline your procurement process and accelerate application development.

Evaluate and Monitor Your Suppliers. Prevent a supplier's employees from endangering your data and intellectual property by assessing their security and compliance practices before and while doing business with them.