Inside job: 6 ways employees pose an insider threat
CISOs and CIOs have seen the prospects of losing control over data and the accompanying data privacy and security concerns as the biggest hurdle to cloud adoption. According to the Cloud Security Alliance’s Cloud Adoption, Practices and Priorities Survey Report 73% of respondents cited data security as the top challenge holding back cloud adoption.
It’s not uncommon for security teams to have concern over threats from within their company. And while the media tends to cover headline-grabbing insider threat events such as Edward Snowden, majority of insider threats are either well-meaning but cavalier employees or rogue or disgruntled insider looking for a monetary gain. Most of these cases aren’t even detected.
Even though 17% of security professionals were aware of an insider threat within their organization in the past year, usage data from Skyhigh’s cloud report shows that 89.6% of organizations experience anomalous insider behavior highly indicative of an insider threat event. Another 55.6% of companies show unusual activity by privileged users like an administrator accessing data he isn’t allowed to access.
These numbers shouldn’t come as a total surprise. The cloud has exploded with over 16,000 cloud applications and underdeveloped auditing and governance measures when compared to on-premises applications leads to a lack of cloud visibility. According to a recent Gartner report, “through 2020, 95% of cloud security failures will be the customer’s fault.”
Here is a list of some of the most egregious insider threats today’s enterprises face.
Well intentioned employee making mistakes
One of the common themes amongst insider threats is that often times, it’s caused by otherwise good employee. The consumer cloud app market lets employees inadvertently leak data to outsiders. One ill-fated employee from the financial industry accidentally put sensitive customer data to Facebook – taking “over-sharing” to a whole new level.
Your sales person joins your competitor
This is one of the more common forms of insider threat, and it’s a common concern amongst companies from all industries. Here, a sales person leaves the company to join a competitor and brings the company’s CRM data with him.
Cloud services like Salesforce let’s users access data from anywhere, but it’s also relatively easy for an employee to download all of the company’s leads, accounts, and detailed opportunity information which can be used to inflict a great deal of damage to the company’s competitiveness in sales.
The cloud application employee poses a whole new kind of insider threat
Up to now, we’ve talked about insider threat from within a company that uses the cloud application. Insider threats can also come from the employee of the company providing the cloud application. If a cloud service doesn’t encrypt data in such a way where its own employees can’t view its customer data, then data loss can be a real threat. Worst of all, this type of insider threat might be near impossible to detect since it occurs outside the security controls placed on the cloud application.
Sensitive data exposed to 3rd party partners
One of the advantages of the cloud is that it enables collaboration. At the same time, a lot of industries have to follow government regulations when handling user data. The healthcare industry, for example, must follow strict rules outlined by HIPAA-HITECH to ensure unauthorized users aren’t accessing protected health information (PHI). HIPAA also applies to healthcare provider’s partners and the possible fines for noncompliance can easily run into millions of dollars, which is one reason companies invest heavily in data loss prevention and other security tools.
Threat from administrators
While at least some data is accessible to all users of a cloud service, administrators tend to have a tremendous amount of access. Not only are they able to view/edit most of the data, they can also change the internal infrastructure setup for the cloud application.
Privileged users and admins can also access data that’s meant for the executives only. This can include pipeline predictions and revenue projections that can be used for insider trading activity. This is a security liability voiced by many security professionals.
Not all cloud services are made equal
There is a class of cloud services dubbed Shadow IT. This category refers to cloud apps that aren’t sanctioned by a company. This can include cloud apps like Evernote, Facebook, iCloud, etc. In worst instances, some of these cloud apps claim ownership of all data uploaded to them. Employees use these high risk, unsanctioned apps without knowing the security risks they are putting the company’s data. This leads to loss of sensitive data such as intellectual property. Sending data to these apps may also have legal consequences.