How honest employees become criminals

The incidents in information security might occur due to the fault of the most respectable employees.

We have been working on the development of corporate systems to prevent information leakage – DLP (Data Loss Prevention) – for more than 12 years. And employees may not be willing to make some extra money illegally, to take revenge on someone, to access the client base to start their own business. The reasons why they fall prey to data breach and further suspicion of malicious intent are the neglect of information security rules, excessive trust in colleagues’ integrity and mere recklessness.

According to the Intel Security study, slightly more than half of information leaks take place due to outsider attacks, while 43% of troubles are caused by the employees. Moreover, intruders usually look for information about clients (34%), while employees get responsible for leaking data about their colleagues, less often exposing the client base (25%).

Statistics show that insider info loss happens unintentionally more than often.

The motives of employees who leak confidential data deliberately are understandable – revenge or profit. When it comes to respectable employees, it turns out to be more complicated. Having analyzed the incidents, we came to the conclusion that all “good” employees, who cause trouble, can be divided into three groups.

1. Innocent victims

This group includes unsuspecting employees intentionally framed by one of the colleagues.

Information security specialists helped our client to discover important documents stored locally on the disk by one of the employees who wasn’t allowed to access them. This is a serious violation of the internal regulations which requires urgent investigation. The employee’s computer appeared to have some software installed for remote control which he simply didn’t need in his work. The investigation revealed that the employee suspected of violations had no clue about the files stored on his computer. The actual culprit was a technical specialist who used the computer of the employee as a temporary network storage before transferring confidential data to a third party.

2. Happy-go-lucky

The group of employees who become the perpetrators of leaks due to negligence, ignorance or naivety.

44,000 customers of Federal Deposit Insurance Corp. (FDIC) became victims of personal information leakage due to the technical incompetence of the company’s employee who uploaded confidential data to a personal flash drive. Later it turned out that the information wasn’t used outside the organisation, however, with the help of special software FDIC was able to track the uploading of corporate information.

According to the Wombat Security 2017 State of the Phish Report, 28% of employed UK population and 35% of the employed in USA do not know what “phishing” is. In January 2017, a leak of personal data of 4,000 employees happened due to the fault of the colleagues who followed the link with the requirement to fill in the necessary tax forms. The letter which was sent on behalf of the CEO, appeared to be a phishing bait.

3. Skeletons in the closet

Such employees are harmless until something provokes them. Their personal lives hide some “hook” which attackers might want to benefit from. It can be anything from debts, drugs or alcohol addiction to adultery or other private details. Information security specialists put such employees in the risk group, because criminals can use their secrets in order to blackmail members of staff.

Another example. For reasons unknown, the same suppliers were selected by the employees of some company, although the terms and conditions they offered were not the best ones. Information security specialists started with checking the activity of the procurement specialist. The employee was suspected of taking kickbacks but the surmise was negated. However, there was a thing which drew attention of the IS specialists. The correspondence between the girl, procurement specialist, and a male colleague from another department was observed. The sympathy was spotted between the employees. The girl was picking those suppliers from which her colleague received “bonuses”.

Incidents that occur due to “innocent victims” can be detected (and even prevented) only by information security specialists. The “victim”, besides being unaware of what is going on, is ineffective in finding and neutralizing the attacker due to the lack of technical skills and professional knowledge. Employees with “skeletons in the closet” should be controlled permanently. IS specialists tend to react promptly to the incidents originated by this type of employee. The information leakage caused by employees from the second group – happy-go-lucky – happen more often because of their criminal carelessness and negligent attitude towards the basic set of rules.

Let us give some examples:

1. All mine is yours

Information security specialists detected the account activity on the computer of an employee who at that moment was on vacation and didn’t have to show up even remotely. It turned out that before the vacation he delegated all the passwords to his colleague (“just in case”), so that he wouldn’t be disturbed with constant inquiries. The company’s routine forbade access sharing. The employee’s computer kept confidential information which in case of leakage would lead to serious financial and reputational loss. The company managed to avoid the data breach, though the incautious employee was warned about possible threats and instructed.

2. Innocent request for technical assistance

Which corporate information is kept on the computer of which employee – you can learn it even by accident. For example, thanks to an email sent by some employee while asking for technical assistance. According to the Winnipeg Free Press, the leaked data of 3,700 employees was discovered when one of the colleagues sent the email containing the information while making a request for technical assistance.

3. Force majeure

Whitehead Nursing Home employee not only survived the burglary and lost valuable belongings, but also became the reason why his employer paid 15,000 pounds fine. That day when he took the corporate laptop with unprotected information home his house was robbed. According to the BBC News, confidentiality of the data referring to 46 employees and 29 patients was violated.

According to the SolarWinds survey, the majority of unintentional info breaches occur due to phishing, copying data to unprotected devices, loss of storage devices or using personal hard drives, accidental deletion or modification of information, use of corporate passwords outside the internal network, neglect of protection systems updating, incorrect configuration. According to the survey among federal agencies conducted in 2017, there was an increase in deliberate insider leaks – 29% vs 22% in 2016. Nevertheless, 44% of respondents indicated that unintentional leaks are the main threat to information security.

Jorina van Rensburg is the Managing Director at Condyn.

What is the role of data and analytics in the Fourth Industrial Revolution?

The Internet of Things (IoT), artificial intelligence (AI), augmented reality, the list goes on. These are considered important elements of the Fourth Industrial Revolution that blurs the lines between physical, digital, and biological.

Central to this lies data and analytics. So, how can African organisations benefit from this dynamic new environment?

The ability to utilise and analyse data is going to be one of the biggest drivers of business in the future. This enables a better understanding of one’s business and customer requirements. Forming part of this journey is the shift towards a more mobile-centric landscape that sees people expecting to have access to real-time information for informed decision-making. Countries in Africa are in a strong position to benefit from this as they have long been mobile-first marketplaces.

Given how data is a representation of information or performance of a business at a specific moment in time, analysing it can reveal a wealth of insights. These allow for a greater understanding of what is happening in the business and how to improve its performance by taking cognisance of internal and external factors that could impact it.

Any business that can effectively analyse its data will have a massive advantage over its competitors as it will be able to adapt to changing trends and customer demands faster than those that do not have the same insights.

The African perspective

However, there is still much work to be done if the continent is going to effectively utilise its mobile advantage and unlock the additional potential that data holds.

Any business that is going to unlock value from data will first need to access it. This means Africa must have a bigger focus on getting companies and individuals connected – not only in terms of actual internet access but also in terms of extracting data from within their businesses.

Secondly, considering how much data is available to organisations, its quality and relevance needs to be assessed and evaluated. A well-known saying in the data sciences is ‘garbage in results in garbage out’. In other words, any data that is not reliable or accurate, will not provide the business with anything of value.

The third piece of the African puzzle is the need to invest in skills development. Being able to critically analyse data requires a significant focus on education. To unlock this, African countries need to place a greater focus on Maths, Statistics, and Computer Science skills. Even existing employees will need to adapt and, wherever possible, be upskilled to understand how to critically analyse the data and interpret it in a business context.

Overcoming obstacles

In addition to these elements, executive confidence in analytics need to be developed. Several polls show that the greatest challenge to accomplish this is to overcome the trust issue. Most executives agree that data analytics is the way of the future, but they are not confident in the ability of their company to provide accurate or stable data.

Building from this is the question of where data and analytics slot into the bigger strategic picture of the organisation. Is it a core skill and competitive advantage, or is it just the latest buzzword? Businesses need to have an introspective moment and decide if data and data analytics is going to be of value to them. If so, they need to make sure that they are setup to effectively leverage their data and use it as a value add to their core business offering. If not, it will always be seen as a cost to business that does not deliver tangible value.

Value for money will always be an obstacle irrespective the geographic location of a business. Fortunately, many companies have started seeing the value of their data and augmenting it with robust analytics. For example, in South Africa businesses tend to focus on applying it to internal metrics for performance. Retailers, telecoms operators, and financial services providers are also starting to leverage their customer data to provide additional value-added services through the likes of rewards and loyalty programmes as well as through cross-selling and upselling additional services. However, it this is still in its infancy in South Africa.

Even though African organisations are lagging behind those in the United States and Europe in terms of unlocking the value of data and analytics, there are signs that they are moving in the right direction. Who knows, perhaps the Fourth Industrial Revolution will be driven by Africa before too long?

Alistair Maxwell is the Head of Strategic Consulting at Decision Inc.

Your Cart