Small and midsized firms are just as likely to fall victim to insider threats as are big companies and government agencies. Many organizations also do not prosecute or report insider incidents, either due to a lack of evidence or concerns about damage to company reputation, a security specialist concludes.
Insider threats cover a spectrum of activities, ranging from theft of intellectual property to fraud and sabotage, explained Michael C. Theis, the chief counter intelligence expert and lead researcher at Carnegie Mellon University's CERT Insider Threat Center. Because there is no single type of insider threat, firms need to be aware of a variety of danger signs indicating that something may not be right with an employee, Theis said at a recent government-business symposium held by the Armed Forces Communications Electronics Association.
An insider threat, Theis explained, is a current or former employee, contractor, or business partner who uses their legitimate authorization to access critical information and services for malicious purposes. He added that there is also a category of unintentional insider threats: leaks and loss of information by otherwise well-meaning staff and contractors, usually through lax security protocols.
[Small businesses should be vigilant against outside threats, too. Read Cyber Attackers Target Small, Midsized Businesses.]
According to the CERT Center's 2014 US State of Cybercrime Survey, 37% of 557 surveyed firms reported some kind of cybercrime issues in 2013. Small firms (those with fewer than 500 employees) made up 43% of the organizations in the survey. Of the reported cybercrime incidents, 32% were caused by insiders. Forty six percent of surveyed firms also found insider threats to be more damaging than outsider attacks. The report noted that 82% of the incidents included the exposure or loss of sensitive or confidential information, 76% reported the theft or compromise of confidential records, 71% reported the theft or compromise of customer data, and 63% reported the theft or exposure of employee records.
The report also found that 75% of insider crimes were often not prosecuted or reported to law enforcement for a variety of reasons. Thirty four percent of firms found that the damage was insufficient to warrant prosecution, 36% cited lack of sufficient evidence or information to prosecute, 37% of firms could not identify responsible individuals, while 12% didn't do anything due to concerns about bad publicity and 8% didn't pursue an investigation because of potential litigation issues.
Every sector of the economy has suffered from insider threats such as theft of intellectual property, sabotage, and fraud, Theis said. Sabotage of company IT systems includes deleting information, bringing down systems, and website defacement. He noted that personnel don't have to be IT professionals to successfully sabotage company networks.
Theft of intellectual property is often conducted by skilled professional staff such as scientists, engineers, and sales force personnel. Stolen intellectual property can be proprietary business information, source code, or industrial espionage. For fraud, insider activities consist of falsified payroll reimbursements, unauthorized acquisitions with company funds, theft and sale of confidential information, and modifying or hiding criminal activity after the fact.
IT sabotage is almost always conducted by former employees, while fraud is usually committed by currently employed staff, and theft of intellectual property usually happens within 30 to 90 days of an individual's resignation, Theis said.
Unintentional forms of insider threats include the inadvertent disclosure of confidential information, accidentally exposing company networks to hacking, or losing devices containing sensitive data.
Malicious insiders can be spies inserted into an organization for espionage purposes, or they can be employees recruited in place, Theis said. He added that the majority of insider threats come from disillusioned or otherwise dissatisfied personnel.
It is important for firms to keep track of employee behavior in the office and online to head off issues before they happen, Theis explained. That's because the individuals who cause such incidents are often unhappy with some aspect of their employment and usually discuss this with coworkers or through email and corporate social media. He added that organizations also need to be on the lookout for suspicious activity on corporate networks, such as the removal or copying of documents or unauthorized access to data.
To mitigate insider threats, organizations should include accurately assess the level of trust they place in individual staff, "right-size" staff access and permissions to only those areas they need to do their jobs, and effectively monitor employee activities and behavior at work and online, Theis said.
Nobody wants to be the next data breach headline. But ensuring that cyber-security defenses are operating effectively and efficiently is a monumental challenge given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber-Security Risk Measurements report today (registration required).