On June 20, 2019, Desjardins Group, the largest association of credit unions in North America, announced that over 2.9 million records of personal data had been leaked intentionally by an employee. The data was accessed and taken by an employee without authorization and with “ill-intention”, according to Desjardins’ President and CEO, Guy Cormier.
The breach was not the result of an external hack or cyber attack, but rather an insider threat. Something not so uncommon. According to research from IBM Security, up to 60% of all cyber attacks are likely due to insider threats (2019 IBM Threat Intelligence Index Report).
Most organizations are aware of the security threats posed by outsiders. Counter measures such as firewalls, antivirus software, and perimeter detections systems are all aimed at these threats. Yet, these measures do little to counter a greater threat—people.
One of the biggest barriers is understanding exactly where these insider threats come from and how to detect them.
And more importantly, does your cyber insurance policy cover you in the event of such an attack?
What exactly are Insider Threats?
An insider threat is a security threat that originates within the organization, from employees, board members, former employees, or business associates, who have privileged information concerning the organization’s security practices and data. There are generally two types of insider threats: unintentional and malicious.
Too often, people associate the term insider threats with malicious employees intending to directly harm the company through theft or sabotage. In truth, negligent employees or contractors unintentionally cause an equally high number of security breaches and leaks by accident.
Malicious insider threats, involving acts similar to that at Desjardins, go beyond negligence to include fraud, sabotage, and theft or loss of confidential information by trusted insiders. They represent purposeful action on the part of insiders against the organization, whether for financial gain, retribution, or some other motivation.
What can businesses do?
For the most part, insider threats cannot be prevented by using traditional security measures. Since insiders already have network access and privileges, their actions won’t typically trigger perimeter monitoring systems.
But a couple of things can be done…
Provide extensive employee training
For unintentional insider threats, the use of awareness training to educate employees (and those who work with and for you) on suspicious links or emails, can help to reduce internal risk. Studies show that security-related risks are reduced by 70% when businesses invest in cybersecurity training and awareness.
That is why all Cyberboxx™ members have access to comprehensive, online cyber security employee training through BOXX Academy. Learn more here.
Limit access to critical information
Limiting access to data and (physical and virtual) systems is one of the first steps in securing your network. Only those employees and vendors with a legitimate business need should be given access or keys.
You can accomplish the goal of access control by meeting five essential objectives:
- Issuing trusted credentials and de-provisioning access when required.
- Controlling physical access, such as protections against human tampering (starting with server room access).
- Managing remote access, while taking into account remote workers, mobile devices, web platforms, as well as trusted vendors.
- Restricting permissions by providing users only with those abilities they require.
- Protecting network integrity which, for larger systems, likely will include some form of network segmentation (partitioning) and network segregation (restricting the devices that can communicate with one another).
Understand high-risk moments
No amount of training will stop a disgruntled employee with ill intent, or a malicious employee who wants to cause harm or do damage.
There are technical aspects that can be employed. These tools might tell you that an employee is acting out of character, for example, logging in on the weekend without a previous history of doing so, or using keywords in emails that suggest they’re not happy with the company. But they can’t offer insight into what’s going on with users outside the walls that might be contributing to an organization’s risk of insider threat.
Instead, it may be more beneficial to focus on certain employees or employee moments in the company, such as:
New Employees: This is when cyber security training is usually provided and access rights are given. It is important that new employees understand the policies and programs that promote the resolution of employee grievances and protect whistleblowers. Pre-employment background checks may also be useful to help screen out potential problem employees before they become problems.
Exiting Employees: Most companies are aware that when an employee is leaving on unfavourable terms, or is poached by a competitor, there’s a risk that they may use their network access for revenge or to exfiltrate data that might be useful to their new employer. Revoking the employee’s credentials should be a priority to minimize that risk.
Product Launches: The launch of a new product is another high-risk period for businesses. Intellectual property represents up to 80%t of the value of a company, so its theft can have devastating consequences.
Ensure you're covered with Cyber Insurance
While most cyber insurance policies provide coverage for damages resulting from external threats, it is not always the case for internal threats.
At BOXX, we include specific coverage for 'Insider Threats' as part of all Cyberboxx™ insurance policies. Our broader insurance policy also includes coverage for unintentional insider threats, such as damages from social engineering or phishing attacks.
As is seen by the Desjardins breach, a business's reputation can be harmed significantly after an attack. Cyberboxx™ members have access to a panel of legal, public relations, and risk management experts that are crucial to decreasing the reputational damage of an attack.
Not sure if your policy includes coverage for insider threats? Talk to your local insurance broker or contact us to learn more.