At a time when organisations worry about cyber-security threats from hackers, criminals, competitors and foreign governments, many fail to properly recognise the operational and reputational risk from insider security breaches.
This was highlighted last month when a disgruntled 26-year-old IT engineer appeared in court in Melbourne after he hacked into his employer’s mainframe computer because he felt he was ‘under appreciated.’ His defence claimed he planned to appear a ‘hero’ by demonstrating his skills in restoring the system. But the Magistrate didn’t see it like that and denounced his “pernicious, vile and vicious” act.
Similarly, last year the UK supermarket group Wm Morrison had payroll information and bank account numbers of 100,000 staff stolen by an employee and posted online. In that case the reputational damage for Morrison’s was further compounded by the fact that just weeks earlier the Bradford-based company’s former Group Treasurer was charged with two counts of insider dealing after trading in shares of an associated company before a major announcement.
Despite the current rash of headline-grabbing major data breaches by activists and criminals – think no further than the hack attack on Sony – assaults by insiders are far more prevalent. The latest PwC cybercrime survey of security, IT and business executives shows that total security incidents detected by respondents increased 48% year on year, with those caused by current or former employees being by far the largest category. The report found that the percentage of respondents who point the finger at current employees rose by 10%, and almost one third of respondents said insider crimes were more costly and more damaging than those perpetrated by outsiders.
When it comes to damage, it’s easy to forget that two of the highest profile cyber-breaches in recent years were committed by insiders. Private Bradley Manning walked off-base with classified military information and gave it to WikiLeaks, and Daniel Snowden stole and released millions of sensitive files while working for a defence contractor. Yet amid all the resulting panic over issues of national, political and military security, both these notorious cases were basically insider breaches by employees, albeit that they caused massive damage.
And it’s this fear of exposure to potential damage which helps ensure the full extent of insider attacks is largely hidden from public view. In fact, 75% of the respondent in the PwC cybercrime survey said they did not involve law enforcement or bring legal charges in compromises committed by insiders.
The desire to avoid embarrassment and adverse publicity is understandable, yet organisations remain highly vulnerable. The PwC report found less than half of respondents (49%) said they had a cross-organisation team which regularly convenes to discuss coordinate and communicate about issues involving information security.
With insider cyber-attacks on the rise, the risk of reputational damage or an operational crisis is very real, and this threat demands a much higher level of management commitment and communication planning.