Updated look for our consumer online and mobile banking coming soon!
Lose your card or discover fraud after hours? Call VISA Support at 800-236-2442.

Data Breaches: Pay Attention to Inside Threats, Too

Posted on in Security

As breaches continue to cause significant damage to organizations, security consciousness is shifting from traditional defenses to a holistic understanding of what is causing the damage and where organizations are exposed. Although many attacks are from an external source, attacks from within often cause the most damage. Why and how do insider attacks occur, and what are their implications?

Insiders (employees or contractors) may have unfettered access to sensitive data, as well as the means, methods and motives to access information, virtually undetected. Two broad categories of insider threat exist: the malicious and the accidental.

Malicious insiders make a conscious decision to deliberately cause harm to an organization; they are fully aware of their actions and recognize the damage or impact it can have on the organization.

In contrast, accidental insiders are targeted by the “bad guys” and manipulated to do something that the insiders believe to be legitimate but in reality represents a threat to the organization.  Such insiders often have no idea that what they are doing is harmful, and people in this category might simply be negligent in their security practices or lead to breaches through improper handling of data, systems and networks.

Although malicious or deliberate insiders will always represent a threat, negligent employees are by far the biggest threat to an organization.  A 2015 survey* of businesses indicated that 52% see this as the biggest concern. These kinds of insiders can include those who simply have poor security processes and those who might be unknowingly manipulated.  Almost 22% considered malicious employees the threat of greatest concern, while 17% placed negligent or malicious contractors first. These numbers directly reflect an organization’s ability to detect insider threats and respond appropriately. Because malicious employees cause their harm directly, they give themselves away more readily than accidental or negligent insiders do.

No matter their business, organizations must protect not only their customers’ personally identifiable information, but also confidential business information and intellectual property. Moreover, most organizations now recognize the value of protecting their reputations.

The survey found that 67% of respondents were most concerned about compromising personally identifiable information (whether customer or client), while 54% expressed concern about damage to their reputation stemming from negative publicity around a breach or leak.  Another 51% noted concern over revealing confidential business information (e.g., financial information, customer lists or transaction history), and 44% were worried about losing intellectual property. Interestingly, only 21% feared a loss of competitive advantage, perhaps because the amount of information available online makes competitive analysis much easier than ever.

The biggest challenge with insider threats, based on SANS training and analysis, is that organizations have not focused resources on this problem—or they simply are not prioritizing it. Therefore, when asked what factors are limiting an organization’s ability to deal with insider threats, many respondents blamed multiple factors.

Although policies and procedures are important, they form the basis of a solution but are not a solution by themselves; technology must augment them.  28% of respondents said that preventing or deterring insider threats was not a priority for their organization. That response suggests an organizational attitude that awareness and training could address.  Because corporate cultures flow from the top, it is important that the executive team understands and appreciates the damages insider threats can cause, so that this awareness can spread throughout the organization.

 

Source:  “Insider Threats and the Need for Fast and Directed Response.” SANS Survey; Dr. Eric Cole; April 2015.  The SANS Institute is a private U.S. for-profit company that specializes in information security and cybersecurity training.  It was established in 1989 as a cooperative research and education organization.  Information for this article was gathered in a survey between December 2014 and January 2015; 772 people responded in full to it. The respondents represent a broad set of industries.

You are now leaving the Minnesota Lakes Bank website and entering a website hosted by another party.

Although we believe this to be a reliable partner site, please be advised that Minnesota Lakes Bank does not control the content of this site and that you will no longer be subject to or under the protection of the privacy and security policies of Minnesota Lakes Bank.

Leave Site