In an environment where nearly 8.4 billion devices are connected to the internet, it’s not unusual to question the security of your personal identifiable information (PII). Cyber threats from hackers exploit vulnerabilities in security and cost businesses around the world billions of USD every year. If asked to picture a hacker, the image that comes to mind might look something like a hooded figure in a dark basement frantically typing code. Although this type of behavior does exist, it is only a minuscule fraction of the different possibilities for fraudsters to gain sensitive information—many threats come from within the business itself.
Just this month, Verizon reported that nearly 14 million customer records had been compromised in one of 2017’s largest leaked data incidents yet. This was not the work of a hacker in a hoodie, but rather a careless internal mistake on the part of Nice Systems, one of Verizon’s partners who helps field the company’s customer service calls. The customer files were on an unprotected storage server that was “downloadable by anyone with the easy-to-guess web address,” and while it does not appear to have been done with any malicious intent, the incident exemplifies a well-intentioned partner who simply made an unfortunate security error that exposed a large amount of sensitive customer data.
While the case of Verizon and Nice is just one example of a data leak coming from the inside, there are many other situations that organizations must be wary of in order to reduce the risk of a data breach. We’ve identified four of the most common, yet often overlooked insider threats.
Insider Threat 1 – Rogue Employees
While this is one of the most obvious insider threats, upset or resentful employees are best placed to steal sensitive customer information. Recently making headlines for just this type of data breach was ARMS Ltd. in Malta, where an employee working in the contact center took it upon herself to hang up on customers and call them back on her personal phone, warning them about call recordings. She then proceeded to offer customers the option to “hide” parts of their bills from the company’s billing system for a price. In total, the employee ended up stealing $17,710 from customers and their families.
While organizations should put the utmost trust in their workers to do their jobs effectively, all it takes is one employee to act with malicious intent for a company’s name to appear in the news. Stricter hiring processes with more extensive vetting of candidates, coupled with proper training for employees on how to spot and report improper behavior by their colleagues can help to cut down on this insider threat.
Insider Threat 2 – Compromised Partners
As we learned with the Verizon incident, a partner’s security practices are equally as important as your own, especially when dealing with partners that must handle customer data directly. If a partner doesn’t uphold the same responsibility towards sensitive data as your own organization does, it could compromise the security of both parties.
An important distinction to make in the Verizon case is that it didn’t even involve a true data breach or a hacker: there was just a gaping hole in Nice’s security procedures that left customer data open on the internet for anyone to take. Each one of these customer records included countless types of information including names, home and cell phone numbers, home addresses, email addresses, account PINs and much more—creating a huge liability for both companies.
To avoid a repeat of what happened between these two organizations, make sure to do your homework on a prospective partner’s security procedures. If there is something that doesn’t follow your protocol, make sure to address it prior to conducting business with them. Also make sure to establish agreed upon security processes, and codify them in the partnership agreement.
Insider Threat 3 – Accidental Breacher
Customer data can also be compromised in the single click of a well-intentioned employee. Phishing scams are a form of cyberattack where scammers attempt to trick victims into giving out important organization information, whether its employee information such as dates of birth, Social Security Numbers, tax information, passwords to important company accounts, or crucial records that should be kept private.
In addition to phishing, there is a more specifically targeted form of this technique called spear phishing. Spear phishing involves a fraudster posing as a credible or trusted contact and attempting to get a specifically targeted person to click on malware. In other words, it is simply a more sophisticated way of phishing in that the employee sees an email that he or she truly believes is coming from a trustworthy source, rather than just a random call-to-action. These scams are designed to look real, and often the scammer does extensive research into the victim and the organization beforehand to craft a message that looks like an executive would have sent it.
To prevent your own workers from falling victim to a phishing scheme, it is crucial that employees are properly educated and trained on how to spot these scams so that they can avoid clicking on an email that leads to a data breach and plasters your company in the headlines.
Insider Threat 4 – Outsourced Staff
Probably one of the most overlooked possibilities of a data security threat is outsourced staff that work inside your premises. Many companies employ third parties for janitorial services, outsourced building security, or even short-term contractors through staffing agencies to complete special projects that leave once the project has wrapped up. Someone who doesn’t report directly to the company might not feel as nervous or guilty about stealing information. Unfortunately, these days it’s not as difficult to steal data as one would think—it’s as easy as inserting a USB drive loaded with a virus into a computer to begin collecting sensitive data.
This type of insider threat is a difficult one to protect against – sometimes it’s not as simple as hiring “good people.” For situations like these, security cameras can help catch culprits, as well as keeping record of exactly who is entering and leaving the building by restricting access to employees or visitors who have key passes. Additionally, working with these third-party contractors directly to learn about their vetting processes and security procedures can help address any issues upfront and prevent a data breach from occurring.
To many, the hooded hacker typing code in their basement might seem more threatening to a company’s information security than a friendly building janitor. However, it is imperative that this common perception does not obscure the fact that many unexpected internal threats lay waiting to endanger your data. Thankfully, with the proper precautions, like employing DTMF masking technology to keep payment data completely out of your call center, and recognizing that these threats come from all sides, companies can reduce the risk of a data breach and avoid tarnishing their brand reputation. After all, they can’t hack what you don’t hold!