When most people think of the insider threat, they think of that picture-perfect stock image of a man in a hoodie hunched menacingly over his laptop. Sure, there are likely plenty of hoodie-wearing malicious cyber criminals out there, but realistically, most insider threat looks very different. In fact, a huge chunk of insider threat incidents aren’t even attacks at all, they’re accidents. Think that makes them less intimidating? Guess again.
Take a look at this news story from June. Eastern Health, one of the largest health providers in Canada’s Newfoundland and Labrador provinces, lost a flashdrive containing the personal information of around 9,000 employees.
Diamond said they believe the USB is lost and not stolen, adding there is nothing to suggest that the information on the USB drive will be used for “a fraudulent purpose.”
While Diamond was probably right, we do have to keep in mind that at this point, Eastern Health is saying that they have no idea where this flashdrive is. It could be at the bottom of someone’s drawer or fell down a sewage drain, sure, but it could also have been dropped on a busy city street or left on a subway. You can’t account for who will pick up a drive that you have no clue how to locate.
Then, just last week, a very interesting development was announced. The flashdrive was found in an office file cabinet. Eastern Health had it in their offices the entire time. Here’s what a representative had to say about it:
“We were actually hoping that it would turn up.”
Too bad that by the time they found this flashdrive, over $100,000 had been spent on damage control. Plus, there’s something to be said for the crippling embarrassment that they’re likely feeling over this entire event. That’s probably not something they’re going to get over anytime soon.
While it’s easy to see the humor in this story from an outside perspective, don’t get too smug. People make mistakes, and this is a scenario that could happen to anyone. In fact, it has many, many times. There are hundreds more examples of human error causing real data breaches with real consequences.
Take Auburn University, for example, which accidentally exposed the personal information of 346,000 people including SSNs and had it publicly available online from September to March (and, as long as we’re looking at universities, Indiana University also accidentally moved personal info for 146,000 students to an insecure location). Or look at the National Guard, who unintentionally exposed the personal information of 850,000 members in an insecure data transfer. Or HSBC, which exposed mortgage account information for several months before the mistake was discovered. Even the government isn’t immune: since 2009, there have been 154 recorded accidental data leaks by UK councils, government departments, police, and other government departments. Not to mention some of the many more ridiculous stories we’ve rounded up in the past.
These are just a fraction of the examples of the ways that the unintentional insider threat can affect an enterprise. A recent study found that nearly 90% of data breach incidents were caused by human error, whether it be by getting their computers infected, losing things, or just messing up.
It might be sexier to talk about the malevolent forces lurking in your midst, just waiting for the perfect moment to betray your trust but in reality, Bob from accounting, who always needs to have someone help him find the Start menu, is the far more likely insider threat. If you’re not careful, one day he’ll accidentally drop customer credit card info into his shared Dropbox folder and you won’t even know it.
Let’s face it: accidents happen. The human race has a truly astounding ability to make mistakes even in the face of every possible protective measure. But there are two major things you can do to mitigate the unintentional insider threat before it starts:
Education is always the first line of security defense. The vast majority of unintentional insider threats are caused by either ignorance or carelessness, or oftentimes, a combination of the two. Lots of employees are careless with their virtual behavior because they just have no idea how dangerous their (to them) harmless actions can be. Building out an in-depth, targeted education campaign is a huge investment in the future of your enterprise’s security, and skipping it is a major risk.
Education is a solid foundation, but continuous monitoring is really what’s going to make or break your attempts at stopping the unintentional insider threat. Visibility is critical. Otherwise, you have no idea of knowing which employees are routinely misusing software or evading restrictions. Even better, continuous monitoring allows you to reinforce your education campaign. When you know exactly which users are making mistakes, you can target them with personalized education and attention. Without this visibility, you probably wouldn’t even know what your risks are or if a breach happened at all and trust us, you don’t want to get blindsided with that.
Is it unavoidable?
Chances are, eventually, someone somewhere in your organization is going to make a mistake that seriously puts your security at risk. Most likely, someone already has and maybe you just didn’t know it. You may never be able to fully stop the unintentional insider threat, but visibility gives you the knowledge that you need to approach it head on instead of burying your head in the sand. After all, you never want to be the one caught saying, “$100,000 later, We were actually hoping that would turn up!”