Among 874 data breach incidents, as reported by companies to the Ponemon Institute for its 2016 Cost of Data Breach Study, 568 were caused by employee or contractor negligence; 85 by outsiders using stolen credentials; and 191 by malicious employees and criminals.
Who Is the Negligent Insider
Can you identify the negligent insider in the following scenarios?
- A system administrator, upon receiving notice of his layoff, deleted data from corporate databases and servers.
- A manager, responding to an email that appeared to be a request from his CEO requesting the manager’s password to a cloud-based data repository, forwarded his password.
- A member of an organization’s outsourced janitorial staff was solicited to steal sensitive information in return for money.
If you selected the manager, you are correct.
Insider threats come in three varieties: those with malicious intent, those who are bribed or blackmailed, and those who are negligent. This last category of insider threat includes those who often fall prey to phishing e-mails out of ignorance.
Characteristics of a Phishing Email
A phishing e-mail attempts to obtain information such as passwords, credit card numbers, social security numbers, and similar data in order to, ultimately, make money. These emails may appear to be from a known and trusted source but are really just bait to lure a negligent insider to a website for collection of the sensitive information.
Get an indepth look at a suspicious email in 6 ways to identify a phishing email.
Hallmarks of a phishing email include generic greetings, requests for urgent action such as payment of an invoice, hyperlinks that don’t match the sender organization, and requests for personal information.
In our example above, the manager was duped into believing the e-mail originated from his CEO and, like most responsive employees, did not hesitate to comply with the request.
How to Protect Against the Negligent Insider
To prevent against a negligent insider, here are two key strategies:
Educate. Begin with comprehensive cyber security training during employee onboarding, and then conduct regular updates to inform employees about the latest scams. Consider using simulated phishing attacks to help employees recognize scams and allow for follow-up remediation with those insiders who ‘took the bait’.
Stu Sjouwerman, CEO of KnowBe4, says “The number one attack vector is e-mail, so all users need to be trained to not click on links in emails, and never open an attachment they did not ask for or did not expect without verification.”
In the case of our negligent manager, education would have helped to prevent this lapse. Proper password protection – including never sharing passwords with others and never transmitting passwords via e-mail – is a critical lesson in security education.
Monitor. Actively monitor the e-mails going into and out of your organization. E-mail monitoring software allows you to:
- Analyze incoming email for known malicious links or e-mail attachments
- Configure rules to alert or block e-mails
- Monitor both business and personal email providers
In addition to monitoring to prevent an attack, recorded visual playback data provides an opportunity to take a deep dive into areas of vulnerability to better prevent future attacks.
Monitoring software may have detected the malicious e-mail coming to our negligent manager if the sender was a previous known offender. In addition, monitoring software would have provided an audit trail to help determine attack origin and put in place appropriate blocks going forward.