Although we often hear the most about hackers, mostly because it allows media to use the standard “faceless guy in a hoodie” images, black hats are not the only cause of data breaches. In fact, one of the biggest risks to data security comes from disloyal employees, sometimes called the “malicious insider.” The evidence suggests that these actors are responsible for more than a fifth of all theft of, or improper access to, company data.
To be clear, we’re not talking about employees who lose the company laptop, or who get phished and wind up giving away their password to an outsider. (But to be clear, that’s a major problem. As in, nearly 2/3 of all breaches come from employee or contractor negligence.) Instead, we’re talking about actually malicious individuals who use a privileged position inside a company to gain access to materials.
In some ways, it’s surprising that disgruntled employees don’t account for more losses, given their ease of access to data – getting into the company network is a given for them, so they’re already well on their way to doing serious harm. The problem has grown so serious that the FBI created a brochure dedicated to the issue, giving tips about how to spot risk factors and how to identify a disigruntled employee. (Pro Tip: if they’re not gruntled anymore, they could be turning disgruntled. You’re welcome.)
It may seem impossible to prevent an insider attack, because there’s no way to know when an individual will decide to become disloyal to the company and steal materials. And, to be sure, some malicious insider attacks are complete surprises that never came with any red flags. But insider breaches do, in fact, mirror their outside counterparts in that the insider will need to test security, go beyond what’s in their normal routine, and may already have triggered alerts in the IT department designed to catch irregular patterns.
Whenever you’re talking about employees, you should be thinking carefully about your employee agreements, your Code of Conduct, and any other documents that you have individuals sign when they begin, or continue to work with your company. A well documented paper trail may not stop someone from accessing information, but it can be a great help in a later lawsuit or in providing a basis for disciplinary action to forestall more aggressive snooping into sensitive materials. Policies and procedures may not prevent breaches, but they can make management of your employees much simpler.
Regardless of what your documents say, though, it’s essential to take steps to protect your company data, even from your own employees, a task that requires diligence and paying attention. And it just so happens that prevention dovetails with some of the principles of data security promoted by the FTC or required by the GDPR. Implementing data limitation principles or enhanced credential requirements are good steps, and have many permutations. You can, for instance:
- Limit access to materials outside the scope of an employees’ duties;
- Create an alert system to notify IT or the CISO when an employee accesses materials of a particularly sensitive nature;
- Disable USB ports to prevent rapid file theft; or
- encrypt your most sensitive data and limit use of the encryption key to the smallest number of employees possible.
There are countless other steps you can take, but the primary point to remember is that insiders, well intentioned or not, create the biggest risk of a data breach for your business. Being datasmart means recognizing that risk and taking the steps, today, to minimize it.
And maybe reconsidering your decision to hire this guy.