Security procedures are good – follow them and you get to keep your job
Sidestepping them to be 'more productive' impresses no one
Motorists tend to believe speed limits are a good idea and that everyone should stick to them. They know that when they break the limit the risk of an accident rises. But they also "know" that it is everyone else breaking the speed limit that pose the real danger.
When it comes to cybersecurity insider threats, it appears that similar attitudes exist. People, under pressure to be productive, rarely view themselves as "threats" to the organisation when they actively circumvent security policies, but probably think they're taking the initiative.
Of late, we've seen another headline-grabbing data lift: British Airways copped to the theft of 380,000 payment card details There was also the smaller but no less annoying UK TV Licensing, which apologised for the possible exposure of the details of 40,000 citizens who'd bought their TV licence online in recent weeks.
It's worth reaching for a pair of reports from earlier this year that serve as a timely reminder that often the enemy is within and this enemy's actions are more numerous and under-reported than those at British Airways or UK TV Licensing.
While security teams work to shore up defences to keep the unauthorised outsiders from accessing the network, it is the sloppy, casually convenient use of pirated media, file-sharing sites and corporate tech that expose firms to all kinds of risks.
Veeam holds its hands up, admits database leak was plain 'complacency'READ MORE
The Ponemon Institute's 2018 Cost of Insider Threats report found that 64 per cent of insider threat events were attributed to negligent users. Incidents are increasing too: the average number involving employee of contractor negligence has risen from 10.5 to 13.4.
Going deeper, the Insider Threat Intelligence Report 2018 found that 75 per cent of respondents to a Dtex Systems YouGov poll identified using an encrypted file system to share confidential documents as important, but only 16 per cent had done so in the previous 60 days.
For updating antivirus software, 85 per cent identified it as important, but only 37 per cent had done so; 69 per cent acknowledged dual-factor authentication but only 30 per cent used it; and 71 per cent said they knew they should change their work login credentials but only 42 per cent had done.
The report said: "Despite the fact that employees knew they weren't doing everything that they could to protect organizational security, nearly a quarter of respondents (23 per cent) still said that they thought their organization's information would never be compromised."
As well as not practising simple security hygiene, negligent behaviours highlighted include putting sensitive data on file-sharing sites, over-use of unencrypted USBs to transfer files, alongside a growing number of instances of people misusing their security privileges and a growth in the use of high-risk applications.
uTorrent, WireShark, Powershell, Ccleaner, SnippingTool, FreeWatch, DontSleep, PDF converters and Caffeine were among the more common risky apps.
The report said: "Like security bypass, the use of high risk applications is often a warning sign of something worse. A user will typically install such applications so that they can get around security measures, download pirated media, or engage in more sinister activity."
Don't leave me this way
When it comes to the human factor, firms are not blameless when managing people who are coming and going. Companies will often put a huge amount of effort into monitoring high-risk employees within the organisation to stop information being stolen. This may be people who are leaving, face redundancy or have a grievance. But an equal risk could come from people joining the company who bring stolen data in from previous employers.
In one of the most high-profile cases that made it to the courts this year, Uber paid Waymo $245m in equity as part of a lawsuit settlement around an alleged plot to steal IP about Lidar autonomous driving technology. Uber had paid $600m in stock for a company formed by an ex-Waymo employee and it was subsequently alleged that this was part of a plot to steal 14,000 proprietary files from Alphabet-subsidiary Waymo.
Uber and its 245 million reasons to settle with Google's WaymoREAD MORE
Few instances where stolen data is brought into the organisation by new staffers ever make it to court. Dtex said it twice found new employees importing a large number of design files into a customer that turned out to come from competitors. It "caught the import of the stolen data and the company was able to mitigate the situation before it became a legal problem".
Malice and misadventure
But what of the more ordinary? Ponemon reckoned employee or contractor negligence is more expensive than credential theft – on an annual cost basis.
How much? That varies by how big you are. Enterprises with a headcount of more than 75,000 spent an average of $2.1m in the last year fixing the problem. Those with a headcount under 500 paid an average of $1.8m.
As work-life balances shift and blur and mobile and cloud prove tempting for users to access work data, the number of accidental breaches and exposures should increase based on past data.
How the security department manages the human factor and how they identify and manage high-risk individuals is becoming ever more important.
Handing out the equivalent of speeding tickets won't fix it. ®