Of all the threat vectors an organization can experience, the insider threat is one of the most overlooked. Employees may either by accident or through malicious intent cause a security breach. Read the following real-life scenarios to determine if they could occur in your organization.
Malicious theft from airline
A case cited in a paper titled ‘Security beyond the firewall’ highlights the danger of not fully depriving former employees of access to IT systems. A senior employee left Air Canada and joined a competitor. Using continued extranet access, the employee colluded with his new employer to steal documents regarding route plans, ticket costs, etc. estimated to be worth US $220K. The theft was carried out via 250,000 network entries; anomalous behavior that was not detected to access documents with insufficient protection.
Employee emails personal data to wrong recipient
Who has not sent an email to the wrong person? In December 2013 an undisclosed number of customer names, Social Security numbers, addresses, dates of birth and group retirement plan names was accidentally emailed to a wrong recipient by an employee at the Massachusetts Mutual Life Insurance Company (MassMutual). In this case, the user was doing their job; the system allowed them to mishandle regulated data it should not have done (source http://datalossdb.org/).
Employee loses tax files copied to CD
In a high-profile case a few years ago, an employee of the UK’s tax office, the HMRC (Her Majesty’s Revenue and Customs) downloaded the private details of 25 million families to a file and copied them to a CD that was then lost in the mail. There was no malicious intent; just a legitimate need to share data. Due to a lack of DRM, the user was allowed to manipulate data and files in a highly insecure way. The loss made headline news in the UK, causing embarrassment to the government and concern among taxpayers.
Organizations can do the following to help protect against insider threats (most of which are HIPAA compliance requirements):
- Implement end-user security training;
- Implement termination procedures;
- Manage system-level security;
- Use encryption for files and email;
- Implement data access and usage policies;
- Implement a digital rights management (DRM) approach to data security.
Orion Group Managed Services offers Security Management consulting support and assists our customers in its design and implementation. Schedule a consultation today with one of our experts to prevent a security breach at your organization.
Reference: “What keeps your CEO up at night? The insider threat: solved with DRM”, June 2014, by Bob Tarzey & Bernt Ostergaard, Quocierca.