How honest employees become criminals
By Jorina van Rensburg, Managing Director at Condyn
The incidents in information security might occur due to the fault of the most respectable employees. We have been working on the development of corporate systems to prevent information leakage – DLP (Data Loss Prevention) – for more than twelve years. And employees may not be willing to make some extra money illegally, to take revenge on someone, to access the client base to start their own business. The reasons why they fall prey to data breach and further suspicion of malicious intent are the neglect of information security rules, excessive trust in colleagues’ integrity and mere recklessness.
According to the Intel Security study, slightly more than half of information leaks take place due to outsider attacks, while 43% of troubles are caused by the employees. Moreover, intruders usually look for information about clients (34%), while employees get responsible for leaking data about their colleagues, less often exposing the client base (25%). Statistics show that insider info loss happens unintentionally more than often.
The motives of employees who leak confidential data deliberately are understandable – revenge or profit. When it comes to respectable employees, it turns out to be more complicated. Having analyzed the incidents, we came to the conclusion that all "good" employees, who cause trouble, can be divided into three groups.
1. Innocent victims
This group includes unsuspecting employees intentionally framed by one of the colleagues.
Information security specialists helped our client to discover important documents stored locally on the disk by one of the employees who wasn’t allowed to access them. This is a serious violation of the internal regulations which requires urgent investigation. The employee’s computer appeared to have some software installed for remote control which he simply didn’t need in his work. The investigation revealed that the employee suspected of violations had no clue about the files stored on his computer. The actual culprit was a technical specialist who used the computer of the employee as a temporary network storage before transferring confidential data to a third party.
The group of employees who become the perpetrators of leaks due to negligence, ignorance or naivete.
44,000 customers of Federal Deposit Insurance Corp. (FDIC) became victims of personal information leakage due to the technical incompetence of the company's employee who uploaded confidential data to a personal flash drive. Later it turned out that the information wasn’t used outside the organization, however, with the help of special software FDIC was able to track the uploading of corporate information.
According to the Wombat Security 2017 State of the Phish Report, 28% of employed UK population and 35% of the employed in USA do not know what "phishing" is. In January 2017, a leak of personal data of 4,000 employeeshappened due to the fault of the colleagues who followed the link with the requirement to fill in the necessary tax forms. The letter which was sent on behalf of the CEO, appeared to be a phishing bait.
3. Skeletons in the closet
Such employees are harmless until something provokes them. Their personal lives hide some "hook" which attackers might want to benefit from. It can be anything from debts, drugs or alcohol addiction to adultery or other private details. Information security specialists put such employees in the risk group, because criminals can use their secrets in order to blackmail members of staff.
Another example. For reasons unknown, the same suppliers were selected by the employees of some company, although the terms and conditions they offered were not the best ones. Information security specialists started with checking the activity of the procurement specialist. The employee was suspected of taking kickbacks but the surmise was negated. However, there was a thing which drew attention of the IS specialists. The correspondence between the girl, procurement specialist, and a male colleague from another department was observed. The sympathy was spotted between the employees. The girl was picking those suppliers from which her colleague received "bonuses".
Incidents that occur due to "innocent victims" can be detected (and even prevented) only by information security specialists. The "victim", besides being unaware of what is going on, is ineffective in finding and neutralizing the attacker due to the lack of technical skills and professional knowledge. Employees with "skeletons in the closet” should be controlled permanently. IS specialists tend to react promptly to the incidents originated by this type of employee. The information leakage caused by employees from the second group - happy-go-lucky - happen more often because of their criminal carelessness and negligent attitude towards the basic set of rules.
Let us give some examples:
All mine is yours
Information security specialists detected the account activity on the computer of an employee who at that moment was on vacation and didn’t have to show up even remotely. It turned out that before the vacation he delegated all the passwords to his colleague ("just in case"), so that he wouldn’t be disturbed with constant inquiries. The company's routine forbade access sharing. The employee's computer kept confidential information which in case of leakage would lead to serious financial and reputational loss. The company managed to avoid the data breach, though the incautious employee was warned about possible threats and instructed.
Innocent request for technical assistance
Which corporate information is kept on the computer of which employee – you can learn it even by accident. For example, thanks to an email sent by some employee while asking for technical assistance. According to the Winnipeg Free Press, the leaked data of 3,700 employees was discovered when one of the colleagues sent the email containing the information while making a request for technical assistance.
Whitehead Nursing Home employee not only survived the burglary and lost valuable belongings, but also became the reason why his employer paid 15,000 pounds fine. That day when he took the corporate laptop with unprotected information home his house was robbed. According to the BBC News, confidentiality of the data referring to 46 employees and 29 patients was violated.
According to the SolarWinds survey, the majority of unintentional info breaches occur due to phishing, copying data to unprotected devices, loss of storage devices or using personal hard drives, accidental deletion or modification of information, use of corporate passwords outside the internal network, neglect of protection systems updating, incorrect configuration. According to the survey among federal agencies conducted in 2017, there was an increase in deliberate insider leaks - 29% vs 22% in 2016. Nevertheless, 44% of respondents indicated that unintentional leaks are the main threat to information security.