In the past year, 77% of data breaches involved an insider, according to Verizon.
From disgruntled employees committing sabotage to innocent mistakes, humans are one of your organization's greatest information security risks. In fact, a shocking amount of high-profile data breaches in recent years have occurred because of employee behaviors.
While it's crucial for information security pros to understand human vulnerabilities, the root cause of data breaches isn't always as simple as human action. In many cases, a combination of technical, policy, and human failures can contribute to an incident with data loss.
While the majority of data breaches are caused by human error rather than malicious intent, there are frightening examples of both. We've included a mixture of intent and impact in this round up of insider-caused data breaches with massively expensive outcomes.
Snapchat fell prey to a whaling attack back in late February 2016. According to the Washington Post, a social engineer with criminal intent posed as CEO Evan Spiegel and sent an email to someone in the social network's payroll department. As a result, the personal protected info (PPI) of some 700 employees was released.
Snapchat published a company blog post stating they were "just impossibly sorry" for the breach and taking appropriate action with the FBI and other investigative bodies.
2. City of Calgary
An employee of the city of Calgary, Alberta, accidentally leaked the personal information of 3,700 employees in June 2016, according to the Winnipeg Free Press. It was noted that the breached information was revealed when an employee sent the information via email in the process of asking for technical assistance.
A network engineer at West Virginia's energy company EnerVest committed data sabotage after learning he was going to be terminated. CIO wrote in 2014 that Mitchell reset all network servers to factory default settings and disconnected remote backups. The news story further states that Mitchell faced criminal prosecution for the attack, which resulted in EnerVest being unable to conduct operations for 30 days and cost in excess of $1 million.
4. Whitehead Nursing Home
Whitehead Nursing Home in Northern Ireland was recently fined some 15,000 pounds by the Information Commissioner’s Office (ICO) for negligence in a data breach, according to the BBC News. An employee took home an unencrypted work laptop, which was stolen later in a home burglary. The news story states that protected data on 46 employees and 29 patients was exposed.
5. HM Revenue & Customs
In perhaps the most expansive data breach to date, the protected information of 7 million families in Great Britain was lost in the mail. The Guardian wrote in 2007 that two password-protected digital disks containing the details of every child and family in Great Britain subject to benefit payments were mailed to another government agency but never arrived.
6. Korea Credit Bureau
A staggering 40% of South Korea residents were impacted by a long-running theft incident caused by an employee of the Korea Credit Bureau in 2014. CNN wrote in 2014 that 20 million residents of the county were affected, which is partially due to a high instance of consumer credit card usage among citizens. The news report states that over period of several years, a credit bureau employee copied protected data onto an external disk.
A 32-year old employee of UK-based payroll company Sage deliberately committed data theft with presumed intent of fraud according to a recent report by Fortune. The suspect was recently arrested at London's Heathrow Airport. The news story states that stolen data included bank account information and salaries. At the time of writing, no reports of insider-outsider collusion have been released, indicating it could be a true single-actor incident.
8. Submarine Data Leak
A disgruntled employee exposed the protected details of India's new Scorpene submarines in a complex data breach that involved multiple governments, employees, and contractors. According to Defense News, some 24,000 pages of classified information were exposed. The news story relates that a terminated employee chose to copy data to a disk, mail it, and eventually share it with a journalist.
How to Prevent Employee-Caused Data Breaches at Your Organization
These examples of incredibly costly employee-caused data breaches are varied. While some resulted from disgruntled employees' desire to sabotage their employer, others were as innocent as requests for technical support.
Humans can be risky. However, security professionals can understand their own role in managing employee risks. By viewing device loss as inevitable, device encryption and monitoring can reduce the risk of losing data in a car or home break in. Similarly, smarter policies and guidance on seeking tech support, the transmission of data, and whaling risks can reduce your chances of innocent mistakes.
By recognizing humans as a likely point of failure in security, those in IT can bring their policies, technical safeguards, and monitoring processes up to speed.
Human error is inevitable. However, the right attitude and action can ensure you're not subject to costly fines or public embarrassment.
Can File Integrity Monitoring Prevent Employee Data Breaches?
IT pros need to understand the difference between file integrity monitoring and other software that can introduce risk and the ones that can mitigate risks. If you're ever dealing with an employee with privileged access and criminal intent, some file integrity monitoring solutions can enable criminal activity by allowing audit trails to be turned off or modified.
Your organization needs advanced tools for a culture of accountability and total oversight. By investing in agent-based file integrity monitoring with uneditable audit logs, you can understand the source of every action taken on your network in real-time.
To learn more, we recommend The Definitive Guide to File Integrity Monitoring.
October 18, 2016