The 5 most common insider security risks
Every day brings another batch of headlines: Hackers gaining access thanks to sloppy password practices. Current or ex-employees engaging in deliberate acts of cyber-sabotage. Well-meaning employees making honest mistakes and exposing the private information of 850,000 people. Even the FBI is warning against insider threats.
It may sound counter-intuitive—and I recognize that it certainly sounds ominous—but the biggest risk to your company could be your employees. And it’s not always about malicious actions by your employees. In many cases, the risk comes from bad habits.
We just published a new report that dives into the security risks posed by current and former employees. We’ve found that the following 5 behaviors are very common across a broad spectrum of industries and job positions.
How many of these risky security practices are happening in your company right now?
1. Insecure password practices.
This includes using the same password for personal and business apps; reusing passwords across multiple apps; sharing passwords with other employees; and storing passwords insecurely.
2. Shared accounts.
When multiple employees are using the same login and password, there’s no audit trail to ensure accountability—and less leverage to prevent ex-employee access.
Here are some scary stats about shared accounts from Dark Reading. There is some speculation that the massive 2013 Target security breach was caused by using a login that was common across all versions of a certain kind of server software; what’s for sure is that investigators who were reviewing Target’s security practices after the fact found a terrifying amount of shared passwords on their network.
3. Shadow IT.
When users don’t like the tools IT provides, they’ll often provision their own cloud services, without IT’s knowledge or visibility. This is most typically true for file storage services.
Recent examples of the problems associated with shadow IT include the discovery of 1.5 million records on Amazon’s cloud platform and a fine of $4.8 million to healthcare companies where shadow IT was employed. You can even consider Hillary Clinton’s personal email server as representative of this problem; CIO Magazine says it’s made Hillary the face of Shadow IT.
4. Insecure file storage and transfer practices.
Data breaches are much more likely to occur when users are saving company files on personal devices or in personal cloud storage, emailing them to their home computer, or even signing up for personal note-keeping services without IT’s knowledge.
In just one example, Lyft sued its former COO for breach of his confidentiality agreement and fiduciary duty, claiming he uploaded confidential files to his personal Dropbox account before taking a job with arch-rival Uber.
5. Ex-employee access.
The more cloud apps a user has, the more likely they are to retain access to data after they leave the company. With this kind of access in the world, you risk everything from regulatory compliance failures to data breaches to malicious attacks on your data and reputation.
For example: an ex-employee of Reuters was recently convicted of hacking for sharing the credentials he retained from his job with Anonymous.
Read more in our Insider Risk Report
We just published the 2015 Intermedia Insider Risk Report. We surveyed 2,000+ office workers about their data security habits. The results… well, they’re enough to make you paranoid.
Fortunately, we also provide some insights and recommendations to combat the problem. If you’re worried about employee behaviors exposing your company, read the report.