Something dark has recently soured the once rock-solid relationship between organisations and their employees and it doesn’t look like a bond that can be patched up any time soon.
The security industry intuitively understands the notion that the world is full of hackers and cybercriminals that want to break into organisations from the outside but when it comes to assessing the malevolence of insiders, of ordinary employees, it struggles to quantify the risk.
For years it’s been viewed as a modest threat even if the occasional administrator would run amock with privileged access or a sales person would steal a customer database. That was just part of life. People occasionally do bad things out of spite, greed or craziness.
These days, the enemy within is starting to be seen as less an inconvenience than an alarming existential threat. This paranoia might not be the right way to understand the problem.
Security firm Clearswift came up with a recent estimate based on a survey of 4,000 workers in the UK, Australia, USA and Germany that a quarter would sell their employer’s data for as little as £5,000 ($7,500) if nobody would find out. Up the rewards to £50,000 and a third would be open to the idea of a bribe.
It sounds depressing but is it that surprising?
Meanwhile, an Insider Threat Report by US firm SpectorSoft (which sells monitoring systems of course), crowdsourced experiences from LinkedIn, turning up some interesting material. The average number of detected insider attacks was 3.8 per organisation with around half not sure how many had occurred, largely because they had no way to spot them.
Two thirds of these organisations reckoned they were seeing more attacks in the last year, again perhaps an issue of measurement – if you look for something you hadn’t worried about before shouldn’t be surprised if you find more of it than you expected.
Sorting out these attacks was, not surprisingly, rather expensive, costing an average of $445,000 (£287,000) per incident. We can’t vouch for these numbers – estimating security clean-up costs is notoriously contentious – but the likelihood that insider incidents are costly is plausible. Very few security systems are set up to monitor what insiders are up to in much detail so unravelling the chain of events takes longer and requires more expertise.
This focus on insiders fits with recent big hacks from Edward Snowden (a whistlebower to some of course) to the strange events at Sony Pictures in 2014 which some still believe must have involved an insider in some way. Earlier this month, the breach at dating site Ashley Madison was pinned on some kind of insider nefariousness while in the UK an auditor at supermarket Morrisons was jailed for eight years for posting details of 100,000 employees on a website in 2014 after harbouring a grudge against his firm. Insiders are fast becoming the explanation for many major attacks and breaches.
Frankly, it’s hard to believe that insiders are any more dangerous than they’ve ever been. All organisations can be undermined pretty spectacularly from inside, which is hardly new. This wasn’t always apparent but the digital age has handed us some handy case studies. In many cases making an attack public to generate publicity is these days part of the motive.
As anyone who’s been around a bit knows, the real problem isn’t that employees sometimes turn on their employer but that organisations are for the first time being forced to care about this fact. Perhaps insider attacks could once be kept private but this is no longer the case. This isn’t a moral issue so much as a basic business one.
The danger is that the insider becomes a handy scapegoat, a coded way of passing the blame to unexpected and unforeseeable forces beyond the control of any organisation. That will work for a while but at some point this excuse will run out of legs. Insiders are here to stay. The era of ultra-intrusive organisations who monitor everything that happens during wortktime (including when working at home) is almost upon us.