Insider Threat: Why Does It Happen, And How Can You Prevent It?

As Bupa gets a hefty fine for the actions of a rogue employee, we look at how the biggest security threat may be from within.

Not a week seems to pass without a business being targeted by hackers – often criminal gangs located in foreign countries. But almost as often, the threat is closer to home. In fact, in many cases, it could be sitting right next to you, in your own office, drinking the same coffee, attending the meetings. Known as insider threat, it’s a danger that around 74% of businesses in the UK face, and one that healthcare firm Bupa will now be painfully aware of.

Last week, the Information Commissioner’s Office (ICO) announced Bupa had been fined £175,000 for failing to secure customer data, in breach of the Data Protection Act 1998 (since it happened before GDPR came in). The personal information of around 47,000 customers had been stolen by a Bupa employee and then put up for sale on the dark web.

Sometime between 6^th January and 11^th March 2017, the culprit extracted these records from the company’s CRM (customer relationship management) system and sent them to a personal email address. They were eventually spotted by an external partner in June of that year, and the ICO was informed.

But why the fine for Bupa? Why was it held responsible for the actions of a rogue employee (who was ultimately fired and arrested by Sussex police)?

Simply put, Bupa should have known, because its CRM system should have spotted the bulk download and subsequently alerted the appropriate parties within the company. This insider threat could have been nipped in the bud with a simple technical solution.

Why, though, do cases like this happen, and what can be done to prevent them or limit their harm?

Causes Of Insider Threat

What motivates people to steal data from their employers will obviously vary. Some may do it for financial gain, selling information or using it to access company funds. Others may have an axe to grind, and such people, rather than making off with data, might simply access your network to cause damage of some kind.

Furthermore, an insider threat could be working with external parties to attack your business. One high-profile example involved a Google employee, Anthony Levandowski, selling blueprints and other files, all pertaining to its autonomous car division, to Uber. You’d think his $120 million pay packet would have been enough to keep him happy…

Significantly, Levandowski took this data just before leaving the company to start his own (which, surprise, surprise, was bought by Uber shortly after). He wouldn’t be the first ex-employee to cause problems in this way either. In the case of ZeniMax versus Oculus VR, for example, it was claimed that John Carmack took company secrets with him when he left ZeniMax and moved to Oculus VR to work on the Oculus Rift virtual reality headset.

These were ideas that he had worked on himself, but as an employee working on company time and equipment, it was argued those ideas belonged to ZeniMax. Initially, ZeniMax was awarded $500 million after it sued Oculus VR, but that was then halved on appeal, and the case, which began in 2014, is ongoing.

But insider threat isn’t always the result of rogue or ex-employees. Businesses may also be targeted by customers and suppliers. Indeed, only around 42% of cases in 2017 involved employees.

It’s also important to realise that not all cases of insider threat are the result of deliberate action. In many cases, honest mistakes and simple human error are the root of the problem.

Tackling Insider Threat

As the Bupa case indicates, technology can play a vital role in preventing insider threat. Computer systems and software can be configured to monitor the activities of users, alerts can be sent, permissions for files and systems can be altered to limit access. It also makes sense to keep track of what devices, including mobile phones, have access to your network, and removing them when employees leave your company.

Added to that, businesses should regularly assess their IT solutions and cyber security, to see who can access what and to analyse activity since the previous audit. That could be done by existing staff or, perhaps, by a dedicated insider threat analyst.

Accidental insider threat, meanwhile, is probably best tackled through appropriate training.

Finally, you shouldn’t discount the possibility that cultural and institutional factors may increase your chances of insider threat. If you have a high level of staff turnover, for instance, that could mean you have more disgruntled ex-employees. Why might that be? Are staff being treated badly or not being listened to? Is pay too low? After all, when all is said and done, insider threats are people, and people don’t normally do things without a reason.

In any case, the solution, whatever it may be, has to be multi-layered and consistent.

Device management is a great way to protect your business. To find out how Microsoft InTune can help you set device permissions across your organisation, get in touch for an obligation-free chat. Simply write to info@tmb.co.uk.