The danger from within… data leakage by employees and other insiders

August 17, 2014 |

The Harvard Business Review has recently conducted an interview with 2 Oxford academics, David Upton and Sadie Creese on a recent paper they wrote titled The Danger from Withinwhich will be published in the September edition of the magazine.   It is particularly prescient given the Privacy Commissioner’s review of the Guide to Information Security and what are reasonable steps to protect personal information (found here).

The podcast (running 15:28 minutes) is found here:

Prevent Employees from leaking data

The executive summary of the article provides:

The 2013 cyberattack on Target is just one recent example of a growing phenomenon: attacks involving connected companies or direct employees. According to various estimates, at least 80 million of these attacks occur in the United States each year—but the number may be much higher, because they often go unreported.

Upton and Creese head an international research project whose goal is to aid organizations in detecting and neutralizing threats from insiders. Their team includes computer security specialists, management educators, psychologists, and criminologists, among others, and their findings challenge conventional views and practices. “The doors that leave organizations vulnerable to insider attacks,” they write, “are mundane and ubiquitous.”

In this article they discuss the causes of growth in the number of insider cyberattacks, the reasons behind them, and five ways to tackle the problem: Adopt a robust insider policy at every level of the organization; raise awareness of phishing and other ploys; screen new hires thoroughly; employ rigorous subcontracting processes; and let employees know that you will observe their cyberactivity to the extent permitted by law.

It is an excellent article well worth a very close read.  Its focus in practicality rather than theoretical analysis. Its starting point is recognising that insider threat to data security requires different approaches than defences against outside attacks.  The authors note :

 The recommendations made are straightforward and which  organisations should be able to implement without difficulty. For example regarding what an IT department should be doing:

Some of the most important activities that nontech leaders should ask of their IT departments are:

  • monitoring all traffic leaving enterprise networks via the internet or portable media, and promptly reporting anything unusual or in violation of policy
  • staying current with best practices for supporting cybersecurity strategy and policy
  • rigorously implementing network defense procedures and protocols that take into account the operational priorities of the business
  • actively updating user accounts to ensure that employees never have more access to sensitive computer systems than is absolutely necessary
  • making frequent threat assessments and briefing the company’s leadership on them

Organisations, especially businesses, complain long and loud about the cost of implementation of regulation regarding privacy.  That is the current complaint about a mandatory data breach notification.  There is usually very little substantiation of such an inchoate jeremiad. It is all the more galling listening to the uninformed caterwauling when the lack of awareness of insider cybersecurity threat is so woeful. The study revealed:

We asked 80 senior managers about their awareness of insider cybersecurity threats and followed up with in-depth case studies of actual incidents. Here’s a summary of what we found:

  • Managers across all countries and most industries (banks and energy firms are the exception) are largely ignorant of insider threats.
  • They tend to view security as somebody else’s job—usually the IT department’s.
  • Few managers recognize the importance of observing unusual employee behavior—such as visiting extremist websites or starting to work at odd times of the day—to obtain advance warning of an attack.
  • Nearly two-thirds of internal and external security professionals find it difficult to persuade boards of directors of the risks entailed in neglecting the insider-threat issue.
  • Few IT groups are given guidance regarding which information assets are most critical, what level of risk is acceptable, or how much should be invested to prevent attacks.

Given the reputational consequences of a breach as well the potential liability it is extraordinary how poor the protections are which many businesses put in place.  Especially ones which do not involve a significant cost impost.




One Response to “The danger from within… data leakage by employees and other insiders”

  1. The danger from within… data leakage by employees and other insiders | Australian Law Blogs

    […] The danger from within… data leakage by employees and other insiders […]

Leave a Reply