According to the 2018 Netwrix IT Risks Report, expectations of IT pros about the most dangerous security risks and threat actors do not match the reality. While respondents claimed that hackers pose the biggest risk to data security, when we asked about the root cause of incidents their companies had actually experienced, they primarily cited insiders — regular business users (named by 51% of respondents), IT team members (35%) and departing employees (32%). Hackers were blamed by just 32% of respondents. While these findings are somewhat different than those of the 2018 Verizon Data Breach Investigation Report (DBIR), which found that 28% of attacks involve insiders, one thing is clear: Ignore the insider threat at your own peril.
Which patterns are the most frequent?
One of the top factors behind data breaches caused by insiders, according to both the Netwrix study and the DBIR, is human errors. One example is the case of the U.S. Federal Deposit Insurance Corporation (FDIC). In 2016, a departing FDIC employee downloaded personal files from her work computer to a USB drive and took it home. Later, the FDIC’s data protection software detected that she had accidentally taken 44,000 customer records along with her personal data. In this case, the information was apparently never misused and the FDIC reported the incident as required. However, the FDIC then admitted that it had experienced at least five similar security incidents in the past that were not properly handled, which led to serious consequences, including a series of hearings and fines from regulatory bodies.
Another common way employees cause breaches is by opening phishing emails and clicking on malicious links, which enables hackers to gain access to sensitive data. In November 2018, Health First, Inc., a Florida-based healthcare provider, notified 42,000 patients that their personal data might have been compromised after several employees fell victims to phishing attacks between February and May 2018. Health First offered to pay for 12 months of identity theft monitoring and identity repair for those patients, but was criticized for failing to spot the breach sooner and not reporting it to the Department of Health and Human Services (HHS) until 5 months after its discovery. Several other U.S. healthcare organizations also fell victim to phishing attacks in 2018, including Catawamba Valley Medical Center in North Carolina and Gold Coast Health Plan in California.
Poor password practices (e.g., password sharing and password re-use)
When employees share their passwords in messaging applications, write them on a sticky note, use the same password on different websites or pick very simple passwords, there’s a greater chance that their credentials will be compromised, which puts the company’s data in danger. In November 2018, Dunkin’ Donuts notified some members of its loyalty program, DD Perks, that their personal information might have been stolen by hackers. According to the company’ statement, Dunkin’s security vendor notified them that a third party might have tried to gain access to users’ first and last names, email addresses, the 16-digit DD Perks account numbers and DD Perks QR codes. Although the security vendor successfully stopped most of the access attempts, there is still a chance that some accounts were compromised. The company believes that hackers performed a credential stuffing attack and used leaked credentials from other breaches to break into various online accounts across the internet, including DD Perks accounts. Bad news for customers who re-used their DD Perks username and password on other websites!
What makes us vulnerable to data breaches?
Why are organizations laser-focused on defending against hackers but failing to tackle insider threats? I would say it’s because they lack true visibility into what’s going on with their IT infrastructure. The Netwrix survey showed that 43% of organizations do not know how their employees deal with sensitive data, so it’s no wonder that they are at a loss for how to manage the risk that insiders pose.
More broadly, the survey shows that organizations are failing to attend to security basics. Only 20% of respondents classify their data and regularly purge unnecessary files. Less than 25% of respondents perform regular vulnerability assessments and check whether any sensitive data is available to everyone. As a result, they are more vulnerable to mistakes, phishing attacks, poor password practices and other factors that lead to data breaches.
What can we do to mitigate the risk?
Mitigating the risk of data breaches caused by employees involves a wide range of measures, but here is a high-level overview of some of the most critical steps. First, pay more attention to what data you store: Reorganize your files, get rid of everything stale and unnecessary, classify your data and protect what matters most. Second, make sure your employees are familiar with cybersecurity do’s and don’ts, and monitor and log their activity. Third, make a viable incident response plan and make sure everyone is familiar with it. Unfortunately, only 17% of our respondents take this seriously by getting a plan approved, providing training for employees and conducting test runs. More often, they merely have a draft (26%) or have reviewed it once and put it on a file share (19%).
Clearly, organizations have a lot of work to do to minimize the risk of data breaches. Fortunately, more of them are ready to take measures to secure their data. The Netwrix study found that organizations consider protection and detection as the most important cybersecurity areas, and are ready to commit to success and allocate budget —respondents report that their cybersecurity investments have already grown by 117% and they expect them to increase by 143% over the next 5 years.
Ilia Sotnikov is vice president of product management for Netwrix, a provider of information security and governance software.