Insiders are one of the most dangerous threats all organizations face, as the players involved in these attacks usually have easy access to an organization’s resources. Taking a look at the recent $81 million bank heist from the Central Bank of Bangladesh, the FBI suspects that this attack was an inside job, with several people who work for the bank playing a key role in the theft. If this attack was perpetrated by insiders — such as employees at the bank or with SWIFT — it would be one of the biggest insider attacks ever conducted and would further validate the dangers of an insider threat to an organization.
However, not all insider threats have malicious intent.
Some of the easiest and most harmful ways an organization is compromised through insider activity is simple human error. In April the Federal Deposit Insurance Corporation (FDIC) was the victim of a potential data breach after a former employee left the agency with a file containing personal information from 44,000 customers.
This wasn’t the first time FDIC employees have mishandled customer information. In May the FDIC’s chief information and privacy officer Lawrence Gross was called to testify before the House Science, Space and Technology Committee to discuss seven instances of employees accidentally downloading customer details as they were leaving the company.
SurfWatch Labs’ Insider Threat Data
The motivation for insider data breaches varies, but company data tends to be the most affected, according to SurfWatch Labs’ data.
Legal Ramifications of Insider Theft
On May 27, 2016, the U.K.’s Information Commissioner’s Office (ICO) issued a warning to employees about taking client records to a new company. In the warning, the ICO referenced an incident involving a former waste disposal employee who took client information with him to a new job that was a rival company.
The information contained data on clients such as contact details and purchase history. Mark Lloyd, the former employee of Acorn Waste Management, emailed the contacts list from his previous business account to his personal account. Lloyd’s actions violated the U.K.’s Data Protection Act, leading to a guilty plea from Lloyd and costing him over 700 Euros in fines.
Steve Eckersley, the head of enforcement at ICO, provided the following warning to employees about mishandling client records:
“Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not their to take with them when they leave. Don’t risk a day in court by being ignorant of the law.”
Lloyd’s actions were clearly to bring new clients to a rival business, but his actions had bigger implications than simply stealing business from his previous employer. By sending these contacts to his personal email server, Lloyd compromised the information of these customers.
Organizations face many problems protecting data, and a malicious insider could be the biggest of those threats due to employees knowing proprietary information and often having legitimate access to sensitive data such as customer lists. Most employees are loyal, and though the most egregious data breaches involving malicious insiders have a tremendous impact to the victimized organization, it is the every day errors committed by these loyal employees that leave a company the most vulnerable.