Insider Security Threats: Disloyal Employees - InformationWeek
IoT
IoT
IT Leadership // Security & Risk Strategy
Commentary
4/7/2016
08:05 AM
Pablo Valerio
Pablo Valerio
Commentary
Connect Directly
Twitter
RSS
50%
50%

Insider Security Threats: Disloyal Employees

One in five employees is willing to leak confidential information, and 30% of them say that they will sell their work-related passwords for less than $1,000, according to Sailpoint 2016 Market Pulse Survey findings. The release of the Panama Papers is adding to the debate.

10 Stupid Moves That Threaten Your Company's Security
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)

When it comes to creating enterprise-level security for your company, how much can the employees in your organization be trusted? Should IT expect that these workers follow basic security practices and keep sensitive information secure? Are internal threats a greater concern than outside ones?

These are just a few of the security questions and concerns being raised after a new report shows that many employees take a lax view of IT security, and many of these same workers are susceptible to cash bribes for their passwords.

For many years, most CIOs, chief security officers, and IT security managers have known that the biggest threats to their organization's information systems and data confidentiality come not from the outside, but from the inside. Still, it's hard to believe that more than 50% of workers will, at some time during their employment, willingly compromise some of the security of their organization's IT services, according to the recently released SailPoint 2016 Market Pulse Survey.

The report further confirms that internal data security threats within organizations are not diminishing over time, but actually increasing.

(Image: weerapatkiatdumrong/iStockphoto)

(Image: weerapatkiatdumrong/iStockphoto)

About 1,000 office workers in the US, the UK, Australia, France, Germany, and The Netherlands were surveyed for the report. All were employees of organizations with more than a 1,000 workers, and 45% worked for companies with more than 10,000 employees.

The survey was commissioned by SailPoint Technologies and conducted by independent research firm Vanson Bourne.

"This year's Market Pulse Survey shines a light on the significant disconnect between how employees view their personal information and that of their employer, which could also include personal information of customers," Kevin Cunningham, president and founder of SailPoint, wrote in March 20 statement. He continued:

Today's identity governance solutions can alleviate the challenge of remembering several passwords and automate IT controls and security policies, but it's imperative that employees understand the implications of how they adhere to those policies. It only takes one entry point out of hundreds of millions in a single enterprise for a hacker to gain access and cause a lot of damage.

Some of the findings are shocking. The report reveals that many vulnerabilities are dangerous for any organization. However, for those businesses that handle confidential data or large databases, the results are depressing. For example:

  • Over 65% of the respondents admitted to using the same passwords across different applications, and 33% share their credentials with coworkers.
  • One in five employees says he or she would sell passwords to an outsider, including competitors, and 44% of those would sell their passwords for less than $1,000.
  • 26% of employees admitted to copying some internal data on cloud services, such as Dropbox or Google Drive, with the specific intent to share that data outside the company.

The results of the study shed some light on employee loyalty based on location. Twice as many US workers (27%) are willing to sell their passwords to outsiders than employees working for an organization in The Netherlands (12%).

Another key finding is how easy it is for former employees to access their previous corporate accounts after termination.

Create a culture where technology advances truly empower your business. Attend the Leadership Track at Interop Las Vegas, May 2-6. Register now!

The study shows that over 40% of people are able to access their previous employer's information by using the same credentials they had when they were working at their old job.

Based on the results of the survey, SailPoint Technologies estimates that in a 50,000-employee organization, 32,000 of workers are using the same password over several applications, 17,000 share passwords with coworkers, and 10,000 workers would be willing to sell their passwords to an outsider.

Of that 10,000 willing to sell passwords, 4,400 of them are willing to sell for less than $1,000.

However, if former employees are still able to access systems, then some of the blame needs to go back to the IT department and security admins who should be developing ways to make sure internal systems can't be accessed.

What is clear from these findings is that organizations need to increase internal security, and only allow access to the information needed on a case-by-case basis. The recent release of the Panama Papers, which could have been an internal affair although the law firm denies this, shows that some employees having almost unlimited access can have disastrous consequences. 

With all this in mind, there are three steps security and IT pros can do to limit the exposure:

  • Enable logging of database access, so it can be determined by who, when, and where any particular piece of information was retrieved.
  • Require two-step authentication for any sensitive data, including biometric access, including such items as fingerprints, in addition to passwords.
  • Encrypt all sensitive data with a security mechanism that makes impossible to read the files outside of the organization.

Pablo Valerio has been in the IT industry for 25+ years, mostly working for American companies in Europe. Over the years he has developed channels, established operations, and served as European general manager for several companies. While primarily based in Spain, he has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shamika
50%
50%
shamika,
User Rank: Ninja
4/21/2016 | 6:28:44 AM
Re: Low level employees profit while exposing companies to costly data breaches
Employees nowadays do not care about the data confidentiality. I have seen employees sharing the same password to log in to systems which have sensitive customer information.
shamika
50%
50%
shamika,
User Rank: Ninja
4/21/2016 | 6:25:26 AM
Re: Every company has its Snowden.
@william, Yes you are correct. Most of the companies will not treat their employee's well which is not right.
shamika
50%
50%
shamika,
User Rank: Ninja
4/21/2016 | 6:23:11 AM
Re: Every company has its Snowden.
"One in five employees is willing to leak confidential information". Well I agree.  In the current context employees are worried about money more than the loyalty.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Ninja
4/17/2016 | 4:16:41 AM
Re: Low level employees profit while exposing companies to costly data breaches
Gary, that is a very good tip.

Actually digital copiers are a huge risk. Many organizations just replace them after their lease and those are sold to second hand resellers. The HDs on those machines can contain copies of thousands of sensitive documents.
Gary Scott
100%
0%
Gary Scott,
User Rank: Moderator
4/16/2016 | 5:57:06 PM
Low level employees profit while exposing companies to costly data breaches
Take a look at your warehouse workers.  That is the group entrusted with the company's old IT equipment - usually containing hard disk drives and SSD's.

Yes, this is usually the equipment not valuable enough to be resold but, how valuable is the data?  Your company's old equipment is probably being sold for pennies to electronic recyclers while your company is risking $millions in fines and litigiation costs.  

Consider hard disk drive destruction prior to leaving old IT equipment in an unsecured location.  
Shawn @ HomeSecurityList
50%
50%
Shawn @ HomeSecurityList,
User Rank: Apprentice
4/7/2016 | 12:04:42 PM
Re: Every company has its Snowden.
@William Terdoslavich Do you really believe 2.6 terabyte of data can be frisked  by any employee? I seriously doubt. I do agree that compartmentalizing data access can help in guarding data. However, what if a high ranking official, a board member (who is secretly planning an exit from a company), or some high ranking managerial staff is frisking out the data? I strongly believe this insider job of security breach is done by any other employee but a/some high ranking officials of Mossack Fonsecca.

 
William Terdoslavich
100%
0%
William Terdoslavich,
User Rank: Author
4/7/2016 | 11:18:52 AM
Every company has its Snowden.
The problem is not surprising. It is symptomatic of two different, perhaps overlapping issues.

First, disgruntled employees may be a norm in  a company where people are treated as afterthoughts, not assets. Revenge will be the resulting problem. 

Or second, the problem employee is an underperforming narcissist with access to too much data. Better governance and security would limit the amount of damage this loose cannon will cause. 

The solution is better managment--treat people better, but also compartmentalize their access to data and track their movements within IT systems. Anomalous access could be a warning of trouble to come.

How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll