Although most companies take measures to defend against external cyberattacks, threats from within are often overlooked. Find out how to defend your business against insider threats.
In June 2018, a disgruntled Tesla employee hacked one of the company’s systems and sent highly sensitive data to unknown third parties, according to an email sent by Tesla CEO Elon Musk. The employee was upset because he did not receive a promotion.
This is not an isolated case. Having someone on the inside perpetrate a data breach is more common than you might think. A 2017 McAfee study found that 22% of data breaches were intentionally caused by malicious insiders, including current and former employees, contractors, and third-party suppliers. Most often they stole customer data, employee information, and intellectual property.
Thus, it is important to protect your business data from malicious insider threats. To do so, it helps to know about the common elements in these types of attacks.
The Common Elements
Three elements are typically present in malicious attacks perpetrated by insiders:
These three elements are collectively known as the Fraud Triangle. Being aware of this triangle can help businesses defend against malicious insider threats. However, there is little companies can do to identify and alleviate employees’ personal pressures, such as having large medical bills or a gambling habit. Fortunately, insider attacks usually involve all three elements, so companies can concentrate on mitigating rationalizations and minimizing opportunities instead.
Malicious insiders often rationalize their actions by convincing themselves they are righting a wrong. For example, a disgruntled employee who feels he has been unfairly passed over for a promotion might believe that stealing data is the best way to right that wrong decision.
Letting employees express their frustrations and concerns through feedback forms and anonymous surveys can help mitigate insider threats spurred by disgruntlement. For this to work, though, you have to address their frustrations and concerns in an open and honest manner. Employees need to feel confident that they won’t be penalized for asking why they did not get a promotion or why they did not get a bonus or raise when others did.
You can also mitigate rationalization by regularly interacting with employees. For instance, you might hold company-sponsored events such as picnics or simply walk around the workplace, talking with employees. They will be less likely to attack the company out of spite or anger if you have a genuinely warm attitude toward them.
Companies have the most control over addressing the opportunity element. To minimize the opportunities for insider attacks in your business, you might consider implementing the following measures:
If you are not sure whether your business is doing all it can to minimize the opportunities for insider attacks, contact us. We can assess your systems and make sure the necessary measures are in place.