Insiders and How they put your Organization at Risk


According to a summary by Gartner’s Anton Chuvakim of Verizon’s Data Breach Investigations Report for 2015, “Reported insider abuse features in 20.6% of all reported security incidents and 10.6% of confirmed data breach insiders.” Mr. Chuvakim continues to observe that “not surprising: insider threat still doesn’t matter much to most – and based on this data, it really should not.”

This statement gives the impression that the risk associated with insiders isn’t significant. When we dig into the Verizon report we see these stats specifically relate to “insider misuse,” which they define as “those in whom an organization has already placed trust—they are inside the perimeter defenses and given access to sensitive and valuable data, with the expectation that they will use it only for the intended purpose.”

However this definition of insider misuse still lacks some detail. To understand the full extent of the risks that are posed, we need to dive into the different types of insiders, and different types of threats they present. Something we’ll do in this series of posts.

Once these threats are understood it becomes clear that insiders are the biggest risk to your organization’s data and the weakest link in the enterprise security posture. Subsequently, Mr. Chuvakim’s observation that “insider threats still don’t matter much” seems to miss the mark.

In this first post we’ll discuss careless insiders.

Careless Insiders

Careless insiders are employees of your organization who, for typically non-malicious reasons, put your company’s sensitive data at risk. For example, let’s say your organization is publicly traded, and a member of your accounting team is leaving on vacation. They’ve got a backlog of tasks they need complete, and they want to dedicate some vacation time to finishing those tasks. They copy over some Excel files to Dropbox with numbers from the previous quarter’s sales so that they’ll have access to these files while away.

The files contain a detailed list of new and existing customers, the products they purchased, the cost of those products, customer payment information, competitive information if available (a competitor’s product they’re replacing) and the purchaser’s contact details including names, email addresses and phone numbers with extensions.

In 2015, Imperva discovered Man-in-the-Cloud (MITC) attacks that enable hackers to easily exploit a vulnerability in cloud app file synchronization services such as Google Drive, Box, and Dropbox to share the victim’s account by overwriting the synchronization token.

So in our scenario, a hacker uses this attack method to gain access to the accountant’s Dropbox account where they manage to get ahold of valuable competitive information. Furthermore, our hacker leaks this information which includes sales numbers that are significantly below analyst consensus, leading to a crash in your company’s stock price, an increase in the company’s lending costs as a result of the drop and issues with regulators.

So our careless employee, by using a cloud app for storing their files, has potentially caused significant damage to your organization on a number of fronts.

In our next post, we’ll examine compromised insiders.