There are numerous reports of security incidents resulting from employees making mistakes or maliciously seeking revenge. Security professionals are also surely aware of many other internal security breaches that never become public knowledge. What is true is insider threats are real and cannot be ignored. The challenge is how do you mitigate the risk?
State of the art perimeter firewalls, IDS and IPS systems do not address the internal threat. We have all heard of the egg analogy; a hard shell with a soft centre.
Serious Data Breach
Earlier this year an employee of a UK supermarket chain was arrested by police in connection with a data breach that resulted in the payroll details of 100,000 employees being leaked to a website and a national newspaper. Data including names, addresses and bank account details of the supermarkets employees were uploaded onto a website. The information was also sent on a CD to the Daily Mirror.
What is interesting about this incident is that the information was sent to the press with no obvious personal financial gain to the employee. Could this be another example of an employee growing frustrated with the lack of security in systems and trying to demonstrate how easy it is for the information to be stolen? It would not be the first time this has happened in the UK. In 2001 a financial institution was blackmailed by an employee. The employee threatened to publish a vulnerability of their payment network unless they and a number of other employees (who were all innocent) were recognised as being key to the business and were rewarded for the work they performed by keeping systems operational. The employee was arrested and charged. However, the case was subsequently thrown out by the court. The judge ruled that whilst the employee’s actions in attempting to get the financial institution to recognise its vulnerability was foolish, it was also well intentioned.
Only time will tell if the supermarket case is another example of a well intentioned misjudgment by an employee attempting to act for the greater good of their employer.
As a footnote an insider threat report came to the conclusion that only 10% of companies polled believed they were safe from the insider threat.
Other articles in the July Bridewell of Knowledge
Read the full Bridewell of knowledge July 2014