On November 2, 2011, the day before a G-20 conference of world leaders was slated to open in Cannes, an FBI agent unwittingly left a folder on the counter of a Lebanese restaurant. It was an ordinary-looking binder, and the restaurant’s proprietor quickly realized that one of his guests must have left it behind. So he opened the folder to determine its owner and was astonished by what he was seeing.
It contained meticulous plans of the fifth floor at the prestigious Carlton Hotel, the floor where President Obama was scheduled to stay during the conference. Beyond that, it included details about each of the president’s travel routes starting from his arrival at Nice Côte d'Azur Airport through to his departure. It was precisely the sort of information that an aspiring assassin would have killed for.
Inside or Outside?
The agent’s inadvertent leak, while potentially grave, was actually not that unusual. In fact, accidental data breaches by people entrusted with sensitive information are both more frequent and of greater concern than either acts of overt data theft or of sabotage originating from outside. While estimates vary, more than half the incidents reported in 2014 were a direct result of insider behavior. A recent survey of IT professionals by Kaspersky Lab determined that 29 percent of all businesses had reported accidental disclosures by insiders as their single largest source of lost data – bigger than either software vulnerabilities or outright theft.
While many of those accidents produced no real damage, others resulted in significant financial penalties, intrusive scrutiny from regulators, and serious damage to the organization’s reputation.
Ironically, though, the concern that preoccupies data security professionals at most organizations today has to do with thwarting deliberate, malicious attacks by outsiders – not with preventing accidental breaches from within. That’s understandable, and there are good reasons for paying attention to malevolent outside threats. Sony Pictures, believed to have been hacked by North Korea, perhaps with insider help, offers an emphatic case in point.
But there are also compelling reasons to focus more attention on the threat of inadvertent disclosures originating with trusted insiders. And that threat continues to grow, accelerated by the proliferation of mobile devices, hyper connectivity, faster employee turnover and eroding workplace loyalty. Preventing it, however, involves more than simply tracking down a few bad apples.
Understanding Impact and Likelihood of Insider Threats
To understand the risk posed by insiders, ask yourself what happens when employees break trust and the likelihood of such incidents in your organization. Start with privileges.
Most workers need privileges to perform their roles responsibly. A payroll manager, for example, has an obligation to ensure employees are paid the correct amount, which in turn requires access to sensitive salary information.
That privilege should be accompanied by technical and management controls so access to payroll data is restricted to authorised individuals, reducing the likelihood of fraud. But privileges require a degree of trust. So the payroll manager is trusted not to divulge salary data maliciously, to store it negligently, or to accidentally email it to inappropriate recipients.
The Information Security Forum (ISF) has identified three types of risky insider behavior:
Malicious:Combines a motive to harm with a decision to act inappropriately, such asan employee keeping sensitive proprietary information after termination and providing it to a competitor as. Whistleblowing is also intentional, but the intent tends to be based on ideology.
Negligent:Can occur when people look for ways to avoid policies they feel impede their assignments. While most recognize the importance of compliance and have a general awareness of security risks, their workarounds can be risky.
Accidental: More common than malicious acts, according to most ISF Members. They involve almost 30 percent of the information security incidents in Verizon’s 2015 Data Breach Investigations Report, which identified the top categories of miscellaneous errors as misdelivery, publishing error and disposal error.
Inadvertent Leaks
Two of the three categories are unintentional. With negligence, an employee might knowingly work around a company’s data security policy, but usually for good reason, like taking work home to meet a deadline. However doing so unintentionally exposes sensitive information. While negligent behavior isn’t motivated by malice, it involves a conscious decision to act inappropriately. For instance, a worker transferring documents using a consumer-grade file hosting service that gets hacked, or saving it to an unencrypted thumb drive, tablet or laptop that gets misplaced.
With accidental breaches, the individual has not made a conscious decision to act inappropriately. A “fat finger” error would be a classic example, where an accidental keystroke – sometimes magnified by a computer’s eager-to-help autocomplete feature – ends up sending an email and its attachments to the wrong address.
Mistakes will continue to happen. But can anything be done to reduce their unintended consequences? We’ve found that it can. Part of it is operational. The rest is behavioral.
Under operations, it involves assessing the value of information that insiders are being trusted to handle, then implementing controls to align information sensitivity with individual job requirements. Formulating and rehearsing standby plans to handle potential disclosure incidents – not unlike fire drills – is an important element of those measures.
Culture of Trust and Awareness
Even then, what is fundamental to the success of any organization’s information policies and controls – including carefully-crafted and well-rehearsed ones – is its culture. Securing understanding, trust and support from the company’s own employees is essential. Recognizing the value of information they’ve been entrusted with must become a basic tenet of the company’s culture, and everyone needs to understand their personal stake in the organization’s success.
That sort of trust and engagement doesn’t automatically flow from occasional CEO memos or scripted pre-shift pep talks. It comes from the example set by senior management in living out best practices. Trust is earned. The actions of CEOs are constantly being watched, rumored and whispered among employees at every level of an organization. What they see and what they say can either reinforce or undermine the company’s formally stated principles.
When employees experience their senior managers behaving in a fair and trustworthy fashion, it helps to build a culture that resonates throughout the company’s workforce. That culture, in turn, is strengthened whenever managers make clear, in both word and deed, that corporate security policies apply to everyone with privileges– from the C-suite down to the shop floor. Respect begets respect; disrespect begets disloyalty.
Recommendations for Managing the Risks
- Assess Insider Risk
- Apply Controls
- Align Responsibilities and Privileges
- Foster a Culture of Trust
- Recognize Trust Works Both Ways
Conclusions
Organizations need to trust their insiders to protect the information they handle, but will always face the risk of that trust being violated. To embrace a deeper understanding of trust, organizations must understand where and how they are trusting their insiders, then augment technical and management controls by helping people to become more worthy of the trust placed in them. In return, organizations should foster a culture that makes the organization worthy of their trust.
Lesson Learned
Sometimes the results can be gratifying. Once he grasped the significance of his discovery, the restaurateur called the FBI, whose agents arrived within minutes. After urgent questioning to make sure he hadn’t photocopied and distributed the documents to terrorists, the relieved and grateful agents, now duly chastened and resolved to being more careful in the future, returned to enjoy lunch at the proprietor’s Middle Eastern restaurant for each remaining day of the G-20 conference.