We all brace for threats to our business and supply chains from out, be they acts of nature or acts of utility failures. But research shows that one of the biggest threats comes from within – the insider threat.
We previously looked at the risks around a malicious insider who intentionally seeks to do harm to a firm. But not every insider threat comes with mal intent. Sometimes accidents happen – but those can also be the hardest to prepare your systems for.
The reasons why people turn against their employers has been well studied and well documented, and there are steps firms can take to address that. But the threats no one intends often prove a lot trickier.
A recent survey of Department of Defense IT experts found
- 55 percent said accidental insider breaches are their biggest security threats
- 56 percent said accidental insider threats could cause just as much damage as malicious actions.
How Accidents Occur
Accidental insider threats tend to occur two ways – by employees unwittingly introducing a virus or malware in the system, or by releasing enough personal information into the public sphere that someone with devious intentions can take advantage of that, often without the employee knowing.
. The unwitting introductions into the system can occur in the most seemingly innocuous ways.
The rising trend of employees bringing their own devices to work — devices that may not have company-issues security measures — pose a major risk. Imagine a husband who borrows his wife’s USB drive for a quick file transfer, not realizing a virus lurks within, or someone who checks his work email on his smartphone, and then loses his phone.
Social media presents another challenge. Perhaps an intern refreshing Twitter during her lunch break clicks on a link that infects the network with spyware, or an engineer checks his personal messages quickly, and unintentionally opens a similar scam.
A media professional who writes about her work for an online publication could note her name, her city, her title, her company and a professional email or office phone number. That could be enough information for someone of nefarious intentions to seek company access by pretending to be that person, or by claiming that person gave them permission to act.
In this case, it takes an outsider to hack the security, but it’s an unintentional internal leak that provided the initial breach. With this type of threat, employees may mean no malice or even be aware of a breach, yet they allow outsiders a window into an organization’s infrastructure.
And it’s hard for even top firms to keep up with changes in technology, and in how employees employ personal tech.
The key to mitigating this kind of breach lies with educating employees on how they might unwittingly compromise company security, so they can be more aware and correct their habits, as well as tightening internal systems to lessen the potential for problems.
We’ll offer some solutions in our next post.
Stay tuned: Part III will provide mitigation strategies for both kinds of threats.
Click here if you missed Part I.