The Departments Most Likely to Lead to a Data Breach

You’ve shored up your cloud security defenses with round-the-clock monitoring, IPS/IDS, all the latest patches (even for Spectre and Meltdown). You feel pretty secure.

But what about your employees? Especially those outside of the IT department? Have they been trained in security measures beyond how to create a strong password?

A holistic approach to security goes beyond the usual attack vectors. You might actually be less likely to suffer a breach from an external hack coming via OS or network vulnerabilities. In fact, insider threats, whether intentionally malicious or simply due to lack of training and awareness, make up a significant portion of security breaches.

Here are the departments most likely to cause an internal breach, why insider threats are so serious, and how you can help mitigate them.

Do I really need to be afraid of my employees?

Yep, you really do. Maybe not afraid per se, but aware and actively working towards stronger security mindedness with the entire organization and not just IT.

There are two broad strokes of internal threats when it comes to cybersecurity: intentional and unintentional. In the latter category you have your run-of-the-mill phishing, social engineering, malware, and ransomware attacks. When a user isn’t well trained against these, they are much more likely to fall for them.

The other side of the spectrum is much harder to preempt. An employee with access to sensitive information who wishes to steal that information or otherwise hurt the organization is both difficult to detect and hard to stop, especially if they have given no indication of unhappiness.

One prominent example was a lawsuit filed last year by Alphabet, Google’s parent company, against an engineer who allegedly stole 14,000 files before leaving to join Uber. While this is still being sorted out in the courts, it’s a very real threat facing many other companies. Who has access to your information? Are you tracking and logging that access?

A report from Tripwire found that 74% of companies believed they were vulnerable to insider threats, with an estimated remediation cost of an attack sitting between $100,000 and $1 million or more.

These types of threats, unlike a sudden bout of malware or ransomware (which could be solved with a smart DR, backup, or AV strategy), can go undetected for long periods of time, especially because they are often carried out by employees who are going through what appears to be regular work behavior.

The most likely culprits

Whether the inside attack is intentional or not, there are a few hot spots in your organization that merit special attention. These are the most likely departments to cause a security breach:

The C-Suite: High level executives often have access to the most valuable information and they may also stand to have the most to gain if they steal it to a new post or to sell to outside parties. On the unintentional side, they often work remotely and lack vital security training. Because they hold a privileged status, they may receive special treatment and not face the same requirements for passwords or secure access as lower level employees.

Finance: Similarly to the C-Suite, finance departments often lack cybersecurity training. They are a popular target for attackers because they deal with sensitive financial information and have access to bank accounts.

IT and related: Naturally, the IT department and associated groups like development, cloud services, etc also wield great power when it comes to access and control of sensitive information. They have intimate knowledge of the data storage and IT security protocols in your organization. No department is completely immune from external threats — and IT is probably most likely to be the ones to walk away with your data.

Within these departments and throughout your organization, there are also specific subgroups that should be watched closely, namely users that have access to the most sensitive and secure systems, any third parties like remote workers, contractors, and partners; and recently terminated employees. Be sure to closely monitor their access and change passwords disable accounts as soon as practical.

Why would my employees bite the hand that feeds them?

Mistakes happen and data breaches occur even to prepared organizations. That’s part of what makes insider attacks so scary: why would they ruin what seems to be a good situation?

Simple opportunity and monetary gain can be a powerful motivator. This is often a spontaneous decision: “Wait, I can make how much if I steal this info for you?” Sometimes it is planned out in advance in coordination with a corporate competitor. There may be a personal aspect, like taking revenge on a perceived slight from a manager or being overlooked for a raise or promotion. And some employees may wish to make a statement or act out politically against your organization by leaking information.

How can I stop insider attacks?

At some level, insider attacks are nearly impossible to predict or stop, especially when dealing with a tech-savvy IT staffer who can cover their tracks and knows your security measures. Some common sense procedures are the best way to stop this problem before it ever begins.

Be sure to complete background checks for all of your employees to help catch any obvious bad apples. Keep a close eye on employee activity and behavior as they carry out their daily tasks. Try and maintain strong positive morale and run a tight ship. If you hear grumbling, talk to your staff and learn what might be making them unhappy.

If a single employee suddenly changes their behavior by staying very late, working from home much more often, or trying to access areas they previously haven’t, it could be worth investigating. Monitor anyone who accesses, moves, or deletes large quantities of sensitive data.

This is a double edged sword though. You don’t want to alienate employees by being too nosy, either.

Focus on infosec training for every single employee. Start a company wide, mandating training protocol and use regular refreshers. Maintain strong password protocol and two factor authentication. Limit access to your most sensitive systems and data to a few privileged and trusted employees. Use mock-phishing, honeypots, and other fake attacks to discover who might be a security risk. Don’t shame them but use the situation as a teaching example for your next refresher.

No security efforts are complete without considering inside threats, both malicious and unintentional. By laying a strong security foundation with regular updates, trainings, and monitoring, you can possibly avoid the loss of data or destruction of internal systems by a clueless or angry employee.