The Human Face of Information Risk Re-visited

Screen Shot 2015-11-04 at 12.45.52

Back in July 2012, Ascentor published our own research into employee behaviour and how it relates to Information Risk. We called it ‘The Human Face of Information Risk’.

One of the most alarming findings was that over half the respondents (57%) said that there were circumstances in which they would deliberately sabotage or compromise their employer.

With the additional potential for unintentional data loss through employee negligence and error – the impact of what has become known as ‘the Insider Threat’ poses a huge issue for information risk.

Were we right to focus on the insider threat in 2012?

Fast forward to 2015 and there has barely been a week without a data breach involving some aspect of human involvement. For all the security measures that might be in place, the incidents of real people causing costly and embarrassing data compromises are still all too common.

As the insider threat remains such a critical information risk issue, we thought we’d re-visit our main findings – and look at some of the more recent research.

What’s more, you are probably just as keen to know what organisations can do about it. We’ll also cover some of the tactics that can be used to counter the insider threat.

2012 – could two million workers already have sabotaged a business?

In 2012, we engaged OnePoll to survey 1,000 employees across the UK. We discovered that:

  • More than half (57%) of employees were willing to compromise company information as an act of sabotage.
  • The country’s key workers, like Government and Public Service are not immune. 53% said they would sabotage information and 3% admitted to already having done so.
  • A bitter 7% of respondents admitted they had already compromised information to get their own back.

We thought the figure of 7% was particularly alarming. With nearly 30 million in the UK workforce, this could equate to more than two million people who had already sabotaged a business.

Our findings highlighted a potential hole in corporate information security strategies. If there’s too much focus on external cyber threats – could this potentially lead to internal threats from disgruntled employees being overlooked?

2015 – widespread vulnerability, and does everyone have their price?

In a climate of increasing data breaches, it’s not surprising that the 2015 Insider Threat Report by Vormetric found that 89% of organisations now believe they are at risk of insider threats with 34% considered to be very or extremely vulnerable.

Another recent survey by Clearswift in July revealed that 35% of employees would be prepared to give away company information for money. The same survey found that 25% would let data go for less than $8,000.

As the saying goes ‘everyone has their price’ – but this appears to be worryingly low and a small outlay for the hacker given the potential ‘rewards’. Just as significant, if true, what does this say about levels of employee engagement and commitment?

What provokes malicious insiders?

Our research found several issues provoking malicious data breaches by employees:

  • Not being paid enough (27%) was only marginally ahead of lack of respect from their employer or a personality clash (25%).
  • More than a fifth of respondents (21%) admitted they would be prepared to compromise their employer if they missed out on a promotion.

To put this in context, such a compromise might involve access to the organisational CRM system.How easy is it for an employee who perhaps missed out on a promotion to ‘walk’ to a competitor with customer data crucial to forthcoming contracts?

A scenario like this might explain why 55% of respondents to the 2015 Vormetric Insider Threat survey view privileged access to data as their top insider threat risk category.

The most high profile ‘insider’ is undoubtedly US Government contractor, Edward Snowden. His motivation was exposing privacy issues and he was able to wreak havoc while not even being an employee. Perhaps thanks to Snowden the Vormetric survey found contractors to be the second highest insider threat risk (46% of respondents). While many contractors operate with complete integrity, as it is now the standard business norm to buy-in expertise, organisations must understand and mitigate the risk.

There is one common link to all of the above. From employee morale to disengagement and whistleblowing – all the above issues are people-related. So, as we said in 2012, if you thought information risk was ‘only’ an IT issue, it’s time to think again.

Ascentor

And is it all the more reason to ask a simple question.Is all the data access you currently allow really necessary, especially privileged access?

The accidental threat

Of course it’s not just deliberate data breaches that make employees such a pivotal part of information risk – the insider threat from accidental data loss and negligence is just as damaging.

The 2015 Intel Security report identified that employees account for 43% of data loss and half the time these leaks are accidental – caused by a lack of concentration or a slack attitude towards data security, an attitude particularly prevalent amongst the ‘millennial’ generation typically aged 18-30.

There’s no doubt that members of this age group, with their fondness for sharing data and personal information on social networks, self-designed IT ‘workarounds’ and ‘relaxed’ views about IT policy, are unwitting targets for malware. We’ve discussed this in more depth in our blog ‘Generation Y and information security – a cyber criminal’s dream?’

But it’s not just Generation Y that unintentionally exposes sensitive data or opens the door to a phishing scam – anyone can be caught out and have their credentials compromised. John Sellars, writing in FCW, The Business of Federal Technology, puts it starkly. “The reality is that most attackers are not breaking into networks; they are just logging in”, adding that attackers with compromised credentials operate “with all the privileges of legitimate users, turning innocent users into insider threats”.

How to address the insider threat risk

We’ve already said that information risk is more than an IT issue – the combination of malicious and accidental involvement of people substantiates this.

Based on our original findings, our opinion was very clear; for an organisation serious about protecting itself from information loss, engaging with the HR department and developing people based security policies would be as important as putting technical controls in place to stop the cyber hackers.

We believe that HR and IT both need to address the insider threat. Here’s how they might do this:

IT: Use a security analytics tool to monitor internal network activity – look for the unusual and respond before they become security breaches. In particular, know who is expected to have access to sensitive data and what applications are normally used in a typical day. Are large amounts of data being accessed or moved, are there repeated logins – especially from non- standard and far away locations? Compromised credentials will still appear normal – it’s the differences in activity that should identify possible suspicious activity.

HR: There needs to be a greater awareness of the security issues surrounding data. HR can help by better communicating an IT policy that everyone can understand and relate to. Work with IT to take out the jargon and make the lessons compelling. HR and IT could also profile the traits of a typical insider threat and use this in the vetting of candidates. Who is likely to most identify with the culture, engage with the business and therefore be less likely to develop a grudge at a later date if they don’t fit in? On the flip side, who is showing signs of leaving the organisation and what is their online activity like? Particularly those with privileged access?

In summary, when it comes to information security, your people must berecognisedas a source of risk but they are also part of the solution. It’s always going to be very difficult to identify and catch a tech savvy employee with a grudge – as it is to spot compromised credentials. However, with a commitment to educate and train staff, they can be made aware of the threats and, with the right policies and procedures in place, mitigate the risk they pose.

Three years after our research, the Human Face of Information Risk still presents a clear and present danger, but we can all do something about it.

For further information:

If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.

If you’d like to discuss how ourconsultants could advise on the Insider Threator any aspect of Cyber Securityplease contact Dave Jamesat Ascentor.

Email: [email protected]

Office: 01452 881712

Web: ascentor.co.uk


Other posts you might like:

Ten Top Tips for writing Information Risk Appetite Statements

What’s the Difference Between Cyber Security and Information Assurance (and does it matter?)

Which cyber security breach could cause you the most pain this year?