2015 Report: One Third of U.S. Companies Suffer Data Breach by "Malicious Insiders"

By Philip R. Stein

Although the law typically avoids applying moral disapprobation to non-criminal acts, breach of trust is an exception. In corporate, fiduciary, and even contract law, violating a trust results in extra penalties, whether in the form of lower standards of proof or higher potential damages. It is an intuitive reaction – a mere breach of contract could be a good business decision, and the law doesn’t disapprove of sound economic choices, as long as certain norms are obeyed. But deception adds a layer of misconduct that strikes at the core of commerce – that one can rely on employees and colleagues.

The Cost of Insider Data Breaches
Unfortunately, recent studies demonstrate that such reliance can be misplaced. The 2015 Ponemon Institute Research Report provides data showing that in the last four years, more than a third of businesses in the United States experienced a data breach committed by “malicious insiders,” or individuals who had access to company data and devices. These attacks are the most expensive type of data breach, averaging more than $140,000 per breach. Because these attacks are carried out, by definition, by insiders, the initial hurdles of gaining access to servers or devices is removed, greatly expanding the amount of information to which they have access. And, as explained in previous posts, the lax security measures in place at many businesses mean that a motivated (or disgruntled) employee can break into material far more sensitive than what an ordinary “brute force” attacker could.

The consequences of a malicious insider attack can be severe, and go beyond mere loss of client lists, damaging though that may be. For instance, IT employees have access to virtually all facets of the data streams at their place of business, and that information can be easily sold if countermeasures are inadequate. Similarly, an employee can “lose” a device that makes its way to a competitor, and perhaps evade detection or liability at all, because the loss was inadvertent. Indeed, given that 45% of businesses face data breaches due to lost devices, there is ample opportunity to stage a loss of a phone or computer (unlocked, of course) for a competitor’s benefit. The FBI reports that malicious insider cybercrime attacks are undergoing a sharp rise in frequency, and has dedicated substantial resources to detecting and curbing this threat to businesses and national security alike.

Preventative Measures
The ubiquity of restrictive covenants demonstrates that businesses already understand the nature, if not the scope, of the risk that disloyal employees pose. It is standard for businesses hiring new employees to require them to sign on to non-compete/non-disclosure agreements. One study determined that across all industries, at minimum, “one in four workers have ever signed a non-compete, and 12.3% are currently working under one. Of those with college education or above, one in five is currently subject to a non-compete agreement. The occupations in which non-competes appear most frequently are engineering (30%) and computer and mathematical occupations.”

This is good practice and good sense. Yet more is needed to ensure data integrity and reduce the damaging consequences of a breach. Cyber insurance is one meaningful way to mitigate the effects of lost data, and more companies are purchasing policies that cover losses caused by malicious insider attacks. However, if prevention is the goal, then dedicated policies that address common vulnerabilities must be a priority.

Creating Barriers to Entry
Prevention, of course, is easy to seek and difficult to obtain. As conversations with infosec experts make clear, there is no way to guarantee against a malicious insider who takes advantage of their access to sensitive materials. For this reason, it makes sense to create barriers to entry that will a) limit the number of individuals with access to confidential or trade secret information, and b) make identifying the source of a breach (and whether it was malicious) a simpler task. Some preliminary steps might be to:

• Require routine password changes on all company hardware, including loaned devices and mobile phones. A variety of passwords for different devices makes sense as well - the fewer devices a rogue employee is able to compromise, the better. Strict penalties for lost devices can also deter theft or carelessness.
• Establish robust check-in and check-out procedures for use of hardware. If you intend to loan a laptop to an employee, make sure that the time frame and purpose for the loan are logged. Restrict the ability to clear browsing and cookie data as well, to make a "wipe" much more difficult to accomplish.
• Create data security tiers, and closely monitor who has access to which information. There is a growing trend, begun in the name of efficiency, of granting many employees the ability to access data that far exceeds the need. Entry-level employees don't typically need access to customer lists or sensitive financial data, and so their ability to access such information should be restricted. Similarly, access to files containing sensitive data can, and should, be logged.
• Develop stronger non-disclosure and non-competition provisions in employment contracts. Although restrictive covenants can be tricky to enforce, a well drafted employment contract can make clear the need to protect sensitive business information, preclude pre-termination solicitation of clients or employees, and give an aggrieved employer the right to sue for injunctive relief and damages. By recognizing the risks of a malicious insider attack before it happens, these provisions can be an essential tool in limiting potential damages after the fact.

Obviously, no list could be comprehensive enough to mitigate all the consequences of malicious insider attacks. But a #datasmart company understands the benefits of protecting its interests where it can, and thinks about security with foresight, rather than hindsight.