Leakage of confidential company data is not always the result of malicious intent. So vigilance is critical and every possible step must be taken to protect this information.
Keep tight control on the flow to stop leaks
Mike Quinn, a vice president at the US-based telecoms networking giant Cisco, has vowed to hunt down an anonymous staff member who leaked confidential emails.
Mr Quinn has seven years with the US Central Intelligence Agency. This has not, however, deterred the insider from promptly leaking the internal email in which Mr Quinn vowed to track them down.
The incident underlines the growing threat organisations now face from their own staff, who may maliciously or accidentally be leaking business-critical information over the internet.
"Insiders are clearly a threat to organisations. Many firms are so hyper-focused on protecting the perimeter they fail to consider the insider threat," says Rick Holland, a senior analyst at the international research firm Forrester.
"In about half of the cases that Kroll sees, there is an insider involved," according to Alan Brill, the senior managing director of security firm Kroll Advisory Solutions.
"Whether the insider is motivated by money - criminals will pay large amounts for access to the 'right' data - revenge for some real or imagined issue that the employee has with the company or for no discernible reason at all, insiders are often involved in the leakage of data," he adds.
But malevolent insiders represent only a small part of the growing cyber security risk now faced by organisations of all sizes.
"Firms really need to focus on the "accidental insider," the well-meaning employee that is just trying to do their day-to-day job but somehow unknowingly violates a security policy," says Mr Holland. "Many times accidental insiders don't understand the implications of what they have done."
He quotes the example of an employee who wants to be productive and work from home and uploads confidential data to a remote data storage service such as Dropbox to meet a deadline, thus exposing the data to potential hackers.
Mr Holland also adds that potential "insiders" are not limited to regular employees. Those who have more access to sensitive information than the general public also include contractors, temporary employees and former and retired staff.
According to Kroll, malicious intent is not the chief cause of the majority of insider breaches. More than 85 per cent of internal breaches are the result of negligence, such as improper disposal of data or lost laptops. Of the insider breaches that are publicly reported, those executed with malicious intent comprise only 15 per cent.
A survey of IT practitioners by the research organisation the Ponemon Institute found that third-party mistakes also account for 32 per cent of data breach incidents experienced in the past two years.
In the case of guarding against inadvertent security breaches, the advice from companies such as Kroll is comparatively straightforward.
For example, organisations should ensure third parties follow the same data security standards they have and must look beyond the contract details to ensure they are actually following up on required data security steps. According to Kroll, it is also essential to make sure that a thorough and professional background check is run on employees who may have access to sensitive information in the future. Kroll estimates that, in some cases, more than 50 per cent of applicants have one or more lies on their applications.
This caution must also be applied stringently to third parties who may sometimes have access to important data. "Some of our clients, working with legal counsel, have developed forms of nondisclosure agreements which are worded for temporary or contract personnel," says Mr Brill. "If you have or can create such documents, they can be an important tool in protecting your intellectual property."
Another essential tool is to provide an easy way for employees to report a potential problem. For example, if someone sees a co-worker apparently printing out sensitive information and placing it in a briefcase or downloading data on to a memory stick and putting in their overcoat, they may not wish to confront the individual concerned. But if they are provided with a hotline to report the incident, it may enable the organisation to identify a problem and take the appropriate action.
With the increasing use of email and electronic file transfers, an important line of defence involves the use of technology often referred to as data leakage protection (DLP) systems. These have the capability of looking at all data leading an organisation and going out over the internet. A well-implemented data leakage protection programme not only warns of a potential incident, but can also prevent the incident from occurring.
"From a detection perspective, tools like DLP are useful in detecting and blocking insider threats," says Mr Holland. "You can also use DLP to inform employees of violations so that behaviour can start to change."
In an increasingly digital age, organisations of all sizes are now in a race to protect their most sensitive information. Whether a cyber security breach is accidental or malicious, it can still have financially devastating consequences as a result of business-critical information going to competitors or disgruntled clients leaving after seeing their confidential data compromised.