Organizations spend so much time defending against external attackers that they sometimes neglect to address insider threats. This oversight may reflect the extent to which some organizations trust that their employees will respect their intellectual property and sensitive information, among other factors. Such a mindset is well intentioned. However, it misinterprets the realities of data security. New research reveals just how careful organizations need to be when protecting their data against insider threats. Clearswift, a global cybersecurity innovator and data loss prevention provider, recently announced the results from an independently conducted survey on enterprise security practices by Loudhouse, a technology and B2B research firm. Of the 500 decision makers in Internet technology and 4,000 employees in the United States, Europe and Australia polled, 35 percent of respondents would willingly sell sensitive corporate information (or customer data stored on protected company servers) for the right price. As illustrated in Clearswift's infographic below, insiders are willing to make off with a variety of information. This includes financial statements, product specifications, customer and employee data, supply chain information and transactional records. The variety of informational targets is matched by an equally diverse set of motivations on the part of the attacker. Some insiders might decide to steal information for their own benefit, such as by withdrawing money from a company's bank account or selling stolen intellectual property to competitors. Others might have the explicit purpose of undermining the company for which they work, which might become apparent when the attackers undercut contracts, blackmail senior executives, or embarrass the company in some way. The infographic illustrates the kinds of prices for which internal actors would be willing to sell corporate information:
- A quarter of employees would sell company data, risking both their jobs and criminal convictions, for less than $8,000.
- Three percent of employees would sell private information for as little as $155, which is the equivalent of a meal for two at a nice restaurant.
- Nearly one in five respondents (18 percent) would accept an offer of $1,550 – approximately the value of a high-end laptop.
- 35 percent of employees were open to bribes as the offer approached $77,500, a sum which could fund a family holiday to Europe.
- A majority (65 percent) of employees said they wouldn’t sell data for any price.
These figures translate into credible threats when one considers the fact that 61 percent of respondents had access to private customer data, whereas a half of those who participated in the survey had access to financial data and to product information at 51 and 49 percent, respectively.
To be sure, it is promising that 65 percent of employees would not consider selling company information but the fact that over a third would constitutes a very real threat to organizations everywhere.
“While people are generally taking security more seriously there is still a significant group of people who are willing to profit from selling something that doesn’t belong to them. This information can be worth millions of dollars," said Heath Davies, Chief Executive Officer, Clearswift.
Insider threats are an issue organizations must confront due to the fact that employees have varied opinions when it comes to data security. According to Clearswift's survey, 29 percent of respondents felt that it was their personal responsibility to help protect their company's sensitive information, whereas one in five (22 percent of) respondents did not feel they had any obligation to help safeguard corporate data. At the same time, another 62 percent of participants said that they did not care enough about the implications of a security breach to change their behavior. Given this lack of consensus, it is up to organizations to look for a number of precursors that might signal an internal party is about to commit an insider attack. They should also consider implementing a suite of solutions that combine active threat intelligence with log management in order to detect these types of attacks before it's too late.
“It is not good business to live in fear of your employees, especially since most can be trusted,” said Davies. “Getting the balance right has always been hard. But truly understanding where the problems come from, combined with advances in technology which can adapt to respond differently to different threats, really changes the game here.”
To learn more about how Tripwire can protect your organization against insider threats, please click here. To read more about Clearswift's study, please click here. Title image courtesy of ShutterStock