Security breaches caused by malicious or inept employees often go unreported. Many organizations are unwitting victims of the insider incidents, while others avoid talking about them for legal or PR reasons, making the scale of the insider threat notoriously difficult to assess.
Yet many have tried. In a recent study of 150 federal IT managers by MeriTalk, a public-private partnership of government IT professionals, 45 percent of respondents said their agencies had been a target of an insider threat attack, and 20 percent lost data as a result of an insider incident over the past year. Approximately 40 percent of the incidents were the result of unintended actions, according to the survey.
Did I do something wrong?
"Unintended actions" can mean anything from accidentally emailing a file to the wrong recipient to losing laptops or USB drives.
In the MeriTalk survey, 51 percent of respondents said federal agency employees often failed to follow protocol. For example, 65 percent of respondents said it was common for employees and contractors to email documents to personal accounts, while 40 percent said employees gained unauthorized access to information at least once a week.
Many slip-ups stem from a lack of awareness. Employees may not grasp why they shouldn't email files containing sensitive information to personal accounts or why putting personnel records on a publicly accessible FTP server could pose problems. They aren't being malicious -- they're simply trying to be productive and do their jobs, said Caleb Barlow, vice president of IBM Security.
A recent Centrify survey of more than 400 IT decision makers from the United States and the United Kingdom found that employees, contractors, and vendors were given liberal levels of access and credentials were frequently shared. Half the respondents said it could take up to a week to remove access to sensitive systems after a user leaves the company.
"The real enemy here is lack of concern," said Bill Mann, chief product officer of Centrify.
Insiders on the take
Poor access control becomes a more serious issue when insiders have malicious intent -- or think they can make a little money on the side.
Earlier this month, AT&T sued three ex-employees for allegedly installing unauthorized software on AT&T systems, which gave a third-party company the ability to unlock customer devices. The suit alleged the employees received between $10,500 to $20,000 to install the software. More common and more difficult to detect: An employee that moves to a competitor and makes off with intellectual property or sensitive information, such as customer data or pricing lists.
The Centrify study found that 28 percent of U.S. respondents "could be persuaded to be a hacker for $2,000 or less." That these respondents said they would consider turning against their company for such a low dollar amount is alarming. When employees or partners have access to privileged accounts or know where the sensitive information is stored, then the potential for damage becomes even higher.
The narrative of shadowy adversaries on the other side of the world crafting malware and trying to break into American networks is the dominant one, but the fact is employees, contractors, and trusted parties can cause as much damage, if not more. While a good number of insider incidents aren't intentional, there are enough malicious actors to make it worth restricting user access, even for insiders.