talks to Guy Eilon, country manager of Forcepoint
about the rise of insider threats and what HR professionals can do to address them.
How significant is the rise of insider threats?
The term ‘insider threat’ is a nod to the growing understanding that internal data security deserves as much, if not more attention than those external threats we know and fear. While high profile data breaches through external hacks are often those that make the news, the reality is that the majority of data breaches fly under the radar.
Research from Forcepoint has revealed that almost all (94%) of top ASX listed companies and government bodies have been exposed to an internal data leakage in the last year. Over half of these businesses do not feel confident in protecting themselves against this type of threat.
According to a global report by IBM
, around 53 million security incidents took place last year alone. While the headlines would lead us to believe that these are due to sophisticated cybercrime from foreign adversaries, over 60 percent of these incidents were in fact due to the company’s biggest asset: their employees.
So the term ‘insider threat’ encompasses a number of threats which stem from internal vulnerabilities including by accidental leakage – whereby an innocent employee leaves sensitive data lying around, from social engineering – when an employee falls victim to a phishing scam, or a purposeful leakage – when an employee has a specific motive to steal sensitive data.
Human error remains a significant contributor to the cause of these security breaches, with 66% of survey respondents stating they have been exposed to an accidental insider threat; 39% of participants have been exposed to a socially engineered insider threat; and 32% have been exposed to a purposeful or malicious data leakage.
There are plenty of examples of large scale internal leaks to point to, however as an example of just a few across various industries, and in various forms, see below;
What are some recent examples?
(2016) Red Cross Blood Service: 550,000 blood donor data was accidentally published to the public. Data included names, gender, address, date of birth as well as information on “at-risk sexual behaviour”.
(2015) Australian Immigration Department: An employee of the Australian Immigration Department inadvertently shared the passport numbers, visa details and other personal identifiers of all world leaders attending the G20 Brisbane summit to the organisers of the Asian Cup football tournament. Victims included Barack Obama, Vladimir Putin, Angela Merkel, Xi Jinping, Narendra Modi, Shinzo Abe, Joko Widodo and David Cameron and many more.
(2013) Vodafone: Using privileged insider access, an IT contractor for Vodafone copied customer names and bank account details of two million customers from a server located in Germany.
(2016) Mossack Fonseca (Panama Papers): 2.6TB of data on politicians, criminals, professional athletes etc leaked from law firm Mossack Fonseca, including emails, contracts, scanned documents and transcripts with a total of roughly 11.5 million documents.
How bad can these threats potentially be?
Insiders pose significant danger to organisations due to their privileged position within an organisation. Often trusted with valuable data, insiders face fewer barriers when accessing sensitive organisational or customer information, and often less oversight on their use of it.
This deep access and frequent interaction with data can mean that data breaches, even if unintentional, can occur if the data is not handled and monitored carefully.
The damage to business can be significant. A Ponemon Institute and IBM survey found that the average cost of an Australian data breach was A$2.82m.
What are the key points HR professionals need to know about these threats?
HR professionals need to be aware that there are a number of factors that need to be considered in order to effectively counter the insider threat.
Firstly, staff training can help reduce the instances of accidental and socially engineered data breaches. Training employees on how to maintain safe data practices is a great way to improve overall security. Staff should learn to recognise and report a phishing scheme email; understand the importance of separating work and personal technology use, including the dangers of third party apps; and of course, take seriously the importance of having unique and complex passwords across various platforms.
Beyond training however, there are technology solutions that also form part of an effective data protection program. New to market tools are capable of using computer learning to recognise abnormal employee behaviour, identify any potential threats, and record those actions to produce a court-admissible piece of evidence in the form of a playback video, for prosecuting illegal and malicious actions.
Overall, however, HR professionals need to develop an understanding that data security is an issue for more than just the IT department, the CIO or the CSO. This is a concern which greatly implicates recruitment
and training, and should involve active participation from every staff member.
Former Channel Seven employee leaks sensitive information
How the employment contract can prevent information theft