Tesla, the luxury electric car maker, seem to have fallen foul of an insider threat episode, with Elon Musk, warning that a disgruntled staff member had altered the company’s IT system code, harvesting highly sensitive information and giving it to others.
Traditionally, the term ‘Insider Threat’ does indeed invoke images of malicious employees lurking in the shadows of an office attempting to steal company secrets or bring down the system. The reality is, that this form of ‘evil insider’ is infrequent at most companies, though clearly not Tesla, with instances of such threats occurring once in a ‘blue moon’. The real issue and biggest risk to confidential data, is the negligent employee, more commonly categorised as the ‘Unintentional Insider Threat’.
It is common that when a cyber security professional attempts to speak with C-level management about mitigating and even preventing the Insider Threat, the feedback they receive is along the lines of, ‘everyone here is happy. We don’t have disgruntled employees, so we don’t have to worry about Insider Threat!’
Perhaps that is true. But, if you ‘turn the conversation on its head’ and talk about the Insider Threat as unintentional threats; employees who make mistakes – inadvertently causing harm – executives listen.
A Verizon 2015 data breach investigation report showed that ‘Insiders’ are responsible for 90% of security incidents and of these 29% are deliberate and malicious whilst 71% are unintentional, with misuse of systems, log-in/log-out failures, with cloud storage leading the way.
There is no doubt that organisations that understand, address & focus on minimising the damage from the Insider Threat, are going to be the companies that win. And, remember, even if your technologies are not obsolete, you will still need to augment your security protocols for Insider Threats and Unintentional Insider Threats.