In September, the FBI and the Homeland Security issued a warning about a rise in security events caused by current and former employees. In a 2014 study by AlgoSec, an IT consulting company, more than 70% of information security professionals responded that insider threats, both accidental and malicious, were their top concern, up from the 2013 study possibly due to the “Edward Snowden effect.”
Home Depot, during an investigation triggered by its recent outside data leak, learned that a former senior IT security employee was fired from his previous job for sabotaging his employer’s network and is now in federal prison for remotely resetting his employer’s servers to factory settings. The incident is believed to have cost as much as $1 million in lost business, and while the employee has not been tied to the Home Depot hack, he might have caused loss which could have been avoided by a background check and implementation of proper policies.)
According to a 2014 Insider Threat Survey of IT professionals by SpecterSoft asking about experience in detecting and preventing insider threats from employees and vendors, approximately 35% of the organizations reported that they had experienced an insider attack. It is estimated that 75% of all insider crimes go unnoticed. Data thefts – whether personal information or company secrets – can take months to discover, if discovered at all. The survey estimates also there are $40 billion in losses due to employee theft and fraud.
According to a May 2014 study by the Poneman Institute, 44% of data breaches were from malicious or criminal attacks, 31% from human error and 25% from system glitches. issues that can also arise from low-tech events. For example, in a recent case involving the Owensboro Medical Practice, PLLC, a spreadsheet that a vendor had received containing protected health information was copied and removed from the vendor’s office resulting in the breach. Evidence from the SpecterSoft study suggests that just 10% of employees account for 95% of incidents.
How is it possible to prevent or lessen the losses and lower the risks a business faces?
Analyzing practices and establishing policies can help prevent incidents from inside as well as outside and lower risk. One model is based on the framework for organizing cybersecurity activities set out in the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology in February 2014, which incorporates project management analysis. The functions to organize are:
- Identify – develop an understanding of how data flow and storage work to manage and analyze risk to systems, data, and assets, including pricing and customer information and other company confidential and proprietary information.
- Protect – develop and implement safeguards to help limit the impact of an event, including requiring security and standards from vendors and implementing policies and procedures for employees.
- Detect – develop and implement procedures to identify an event, including requiring vendors to detect and expeditiously provide notice of an event.
- Respond – prepare a plan and procedures to take action in the case of an event, whether internal or external.
- Recover – have a plan in place to restore capabilities impaired due to an event to reduce the impact and losses.