Consider these three very different crimes.
- Lynx theft at petting zoo. Former employee takes Siberian lynx cubs from Wisconsin petting zoo.
- Kendall Jenner burglarized. Jenner noticed $200k in missing jewels from an open jewelry box after having friends over.
- Swedish Government Scrambles to Contain Damage From Data Breach. Unauthorized personnel gained access to sensitive information at the hands of a contractor hired by the Swedish Transport Agency.
What does the zoo, Kendall Jenner, and the Swedish government have in common?
They all lost control of valuable items when risk was perceived to be minimum, and all at the hands of an insider.
Whether we are discussing theft in the physical world or data breach in the cyber world, there are undeniable parallels; most of the emphasis and/or investment is on keeping external perpetrators out. But, according to a New York State security breach report spanning 8 years, 57% of breaches were internal: 46% comprised of well-intended employees compromising the integrity, confidentiality or availability of an information asset, 11% attributed to malicious intent. The remaining 43% were due to outsider threats/hacking[1].
Information assets are growing, and that’s a good thing. Employees create content such as a purchase order, engineering code, new streamlined processes, or a marketing plan. The more content employees and business partners create, the more value companies possess. But, as content grows, so does exposure and increased risk.
In addition to more valuable data and risk, the stakes are getting higher too. Regulations with stiff penalties are in place to protect individuals (customers, users and employees), and the burden is on companies to comply. Here are just a few examples:
- Federal Securities and Exchange / Sarbanes-Oxley requires publicly held companies to establish internal controls to protect from fraud. Additionally, a bipartisan group of senators introduced a bill called the “Stronger Enforcement of Civil Penalties Act of 2017” to increase penalties up to $1M for individuals and $10M per entity.
- EU General Data Protection Regulation (GDPR) beginning May 2018, requires all data breaches to be reported within 72 hours. It imposes sanctions for non-compliance of up to 20M EUR or 4% of the annual turnover of the preceding financial year, whichever is greater.
- Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of healthcare data with civil and criminal penalties carrying sentences up to $1.5M annually and/or 10 years in prison.
- Regional and State Requirements: require breach notification of affected parties in all states with exception of Alabama and South Dakota[2]. Some jurisdictions set out a specific period of time, such as New York requiring notice “without unreasonable delay”.
Legislation can be expected to get more sophisticated, specific, and continue to carry severe penalties for non-compliance.
Who is at risk?
Well, anyone who has valuable content.
Clearly, content required by regulatory entities as well as contractual obligations needs to be protected. But, we often fail to recognize the tremendous value of data outside these mainstream categories. Companies across all industries are looking to protect:
- Sources: A global news agency such as Buzzfeed, protecting the exclusivity of journalistic sources, and thus the integrity of the firm.
- Innovation: Engineering code for new product design, where an employee violates confidentiality agreements and steals proprietary information to compete with the employer. This can go undetected and significantly eroded the future of a company. Here are two examples of ongoing litigation.
- In Cisco vs. Arista, a rival run by former Cisco employees, the lawsuit alleges that Arista has a “culture of copying” Cisco’s intellectual property. In May, the U.S. International Trade Commission concluded that Arista's switches had infringed the Cisco patents and said it would issue an order banning Arista from importing the infringing products into the United States. In June, the U.S. Patent office sided with Arista, thereby setting the stage to undo a U.S. agency's order blocking importation of some of its products.
- In Waymo vs. Uber, the lawsuit alleges an engineer in Google’s self-driving car unit stole over 14,000 documents from Alphabet to found his own company, later acquired by Uber who leveraged it to create their technology.
- Strategic Plans: Internal planning documents when leaked can devastate a business, as in the case of Summit Brewing suing former employees alleging marketing plans and distribution secrets were leaked to competitors[3].
- Trade Secrets: Unlike patents, trade secrets do not prohibit others from independently discovering or reverse engineering products. For instance, a recipe is extremely important in the food industry, and it isn’t just the well-known examples such as Coca-Cola, KFC fried chicken, or Bush’s baked beans but also to pre-packaged, frozen foods, and the foodservice industry.
- Client Agreements: Venture capital, private equity and investment funds must maintain information on exclusivity, stock, funding, and valuation on a need to know basis or risk sabotaging current and future investments.
Intellectual property undeniably is the foundation for profitable growth.
How can businesses better protect their valuable information?
IT departments have become extremely sophisticated in protecting their data from an external breach with the latest in firewalls, VPN, and antivirus technology. Many companies have also opted for cyber insurance to transfer some of this risk; however, these policies rarely cover “acts of negligence” or breaches at the hands of an employees or trusted parties.
Unfortunately, current solutions can only solve for 50% of the risk!
The other 50% of the data breaches are caused by insiders (employees, contractors, suppliers, channels), often inadvertently. While the root cause of an insider breach can be the lack of training on content procedures, it often results from prioritizing productivity over security when there are no mechanisms to monitor violations and enforce policies.
Here are some examples where inadequate training and a lack of policy enforcement introduce vulnerabilities:
- Human error: An employee places highly sensitive financial data into the marketing folder and does not realize that 3rd party contractors are granted access to it.
- Neglecting essential precautions: An employee copies payroll files to her personal laptop to work from home, but the laptop is stolen from her car when she stops on the way for dinner.
- Malicious insider breach: In this real example, employees in an AT&T data center in Mexico stole passwords to unlock and resell phones. Only a small percent of employees is dishonest and would steal, but even if it is only 1%, 5 people in a 500 person call center may steal and use the information against you and your customers. Dishonest employees that handle corporate assets worth considerably more than their wages can place the business at great risk, and even executives aren’t immune to greed. We have seen many examples of this, most of them are not publicly known while others like Uber/Alphabet or Arista/Cisco are in litigation.
If the protection process weighs down productivity, companies will lose their competitive edge. This constant tension is inevitable but cannot be ignored. Businesses need to reassess the value of their data and their risk of exposure. 92% of IT leaders believe their organizations are either vulnerable or somewhat vulnerable to insider threats[4]. There is no simple one size fits all solution, but with the increasing volume of information being created each day, you need to think about it now before it is too late. Make sure your current approach is correctly proportioned between external vs. internal risk, and will scale as your content and business grows.
This post was initially published on Egnyte blog.
[1] New York State Security Breach Reporting (2006-2013)
[4] 2014 report from Breach Level Index InfoSec Institute