Internal Threats: Five Ways Employees and Business Partners Put IP and Data at RiskPresident and CEO of Center for Responsible Enterprise and Trade
When a cyberattack makes the headlines, it’s often because the perpetrators are a mystery. We can imagine hackers operating out of smoky rooms in distant lands—and sometimes that turns out to be accurate.
But it is also true that the guy whose office is just down the hall past the soda machine may be as great a threat as a remote criminal. Insiders—company employees as well as contractors and business partners—can present a significant risk for misappropriation of sensitive information and intellectual property. Whether they are operating out of malice or ignorance, their actions can be disastrous for company profits, reputation and future business plans.
Here are some of the key factors fueling insider risk:
- Access: Many companies lack appropriate limits on employees’ access to confidential, sensitive information—items including customer lists and contact information, intellectual property, and private information about customers, employees and business partners. In a recent report by the independent Ponemon Institute, 71 percent of “end users” (employees on the system) said they have access to company data they should not be able to see, and 54 percent of them said that the access was frequent or very frequent. The vast majority of IT professionals surveyed said that their organizations don’t have a “need-to-know” policy of managing access, or don’t strictly enforce it.
- Mobility: In today’s globalized economy, professionals in many industries have unprecedented opportunities to move between companies and work in different countries. In an increasingly common narrative, employees with access to trade secrets walk out the door with reams of downloaded documents that they aim to provide to competing companies or foreign governments. The greatest risk comes from employees who are disgruntled, leaving amid layoffs or similar upheaval, or returning to their native country. Typical of these cases is one recently reported by South Korea’s Yonhap News Agency. A court in Seoul indicted a man identified only as Kim, a high-level automotive engineer, for passing classified documents from his former employer Daewoo Motors to competing carmakers in China. The documents he transferred contained details of safety and performance testing technology that the South Korean company had developed. There are many similar cases in a wide array of industries.
- Risky digital behavior: In the Ponemon survey, only 47 percent of information technology practitioners surveyed believed that employees in their companies take data protection seriously. That belief is supported by the response to another question by the non-IT set: 76 percent of those surveyed said they saw no problem with loading confidential documents onto their unsecured personal computers, smart phones and the public cloud. By doing so, they may unwittingly open the door to cyber theft.Another common way that internal and supply chain employees may create holes in security is by loading their own software onto work computers. If that software is pirated, it may contain malicious code designed to search their systems for valuable data.
- Accountability gap: Many companies do a poor job of conveying their expectations around confidentiality and security to employees and supply chain partners. Monitoring to see whether appropriate procedures are being followed is even weaker. In some sense, it’s no wonder employees are not vigilant about protecting intellectual property and preventing cyber breaches.
- Insider advantage: A combination of the above factors and first-hand knowledge of a company’s information system, and a failure to monitor insider behavior lead to some of the most damaging data breaches.
Here’s how one such case is playing out in Japan: Police arrested 39-year-old Masaomi Matsuzaki last July on suspicion of stealing data linked to more than 20 million customers of Benesse Corp., which provides education materials and services for students.
Matsuzaki, who was working as a systems engineer for a company affiliated with Benesse, reportedly loaded the data onto his smartphone and then sold it to middle men who resold it to a few hundred other companies to exploit for marketing purposes, according to a Kyodo news agency report.
The case sparked outrage in Japan and a national debate about improving privacy laws. Although the perpetrator is now in custody, Benesse continues to reel from the fallout. Parent company Benesse Holdings announced in December 2014 that it is cutting 300 jobs to compensate for an expected net loss of between $8.3 million and $75 million in the current business year because of the data breach.
Clearly the threat from insiders cannot be remedied with an old-fashioned firewall. It requires a solution that is a multi-faceted, proactive approach—one that involves IT security design as well as security procedures, contract provisions, training and monitoring. These measures must be based on a clear picture of where valuable information assets reside, whether customer data or intellectual property.
And, importantly, a system to address security risk posed by some insiders must be balanced with the need to facilitate the work of the majority of employees and partners who operate in good faith.
The digitized, fast-evolving global economy presents unprecedented opportunities. But capturing its possibility comes with the need to address associated risk. Taking a systematic approach—with dedicated strategies to address risks posed by “insiders” in concert with plans to stop intrusion and associated damage by “outsiders”—is the most pragmatic and cost-effective way for companies to compete in this changing, and often challenging, business environment.