Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Leadership and ManagementCybersecurity News

Enterprises at Risk from Accidental Insider Threats

Accidents, more than malice, lead to data compromise.

By Steve Durbin
bored-enews
April 26, 2016

On November 2, 2011, the day before a G-20 conference of world leaders was slated to open in Cannes, an FBI agent unwittingly left a folder on the counter of a Lebanese restaurant.  It was an ordinary-looking binder, and the restaurant’s proprietor quickly realized that one of his guests must have left it behind.  So he opened the folder to determine its owner and was astonished by what he was seeing. 

It contained meticulous plans of the fifth floor at the prestigious Carlton Hotel, the floor where President Obama was scheduled to stay during the conference.  Beyond that, it included details about each of the president’s travel routes starting from his arrival at Nice Côte d'Azur Airport through to his departure.  It was precisely the sort of information that an aspiring assassin would have killed for.

Inside or Outside?

The agent’s inadvertent leak, while potentially grave, was actually not that unusual.  In fact, accidental data breaches by people entrusted with sensitive information are both more frequent and of greater concern than either acts of overt data theft or of sabotage originating from outside.  While estimates vary, more than half the incidents reported in 2014 were a direct result of insider behavior.  A recent survey of IT professionals by Kaspersky Lab determined that 29 percent of all businesses had reported accidental disclosures by insiders as their single largest source of lost data – bigger than either software vulnerabilities or outright theft. 

While many of those accidents produced no real damage, others resulted in significant financial penalties, intrusive scrutiny from regulators, and serious damage to the organization’s reputation. 

Ironically, though, the concern that preoccupies data security professionals at most organizations today has to do with thwarting deliberate, malicious attacks by outsiders – not with preventing accidental breaches from within.  That’s understandable, and there are good reasons for paying attention to malevolent outside threats.  Sony Pictures, believed to have been hacked by North Korea, perhaps with insider help, offers an emphatic case in point. 

But there are also compelling reasons to focus more attention on the threat of inadvertent disclosures originating with trusted insiders.  And that threat continues to grow, accelerated by the proliferation of mobile devices, hyper connectivity, faster employee turnover and eroding workplace loyalty.  Preventing it, however, involves more than simply tracking down a few bad apples.

Understanding Impact and Likelihood of Insider Threats

To understand the risk posed by insiders, ask yourself what happens when employees break trust and the likelihood of such incidents in your organization.  Start with privileges.

Most workers need privileges to perform their roles responsibly.  A payroll manager, for example, has an obligation to ensure employees are paid the correct amount, which in turn requires access to sensitive salary information.

That privilege should be accompanied by technical and management controls so access to payroll data is restricted to authorised individuals, reducing the likelihood of fraud.  But privileges require a degree of trust.  So the payroll manager is trusted not to divulge salary data maliciously, to store it negligently, or to accidentally email it to inappropriate recipients.

The Information Security Forum (ISF) has identified three types of risky insider behavior:

Malicious:Combines a motive to harm with a decision to act inappropriately, such asan employee keeping sensitive proprietary information after termination and providing it to a competitor as.  Whistleblowing is also intentional, but the intent tends to be based on ideology. 

Negligent:Can occur when people look for ways to avoid policies they feel impede their assignments.  While most recognize the importance of compliance and have a general awareness of security risks, their workarounds can be risky. 

Accidental:  More common than malicious acts, according to most ISF Members.  They involve almost 30 percent of the information security incidents in Verizon’s 2015 Data Breach Investigations Report, which identified the top categories of miscellaneous errors as misdelivery, publishing error and disposal error.

Inadvertent Leaks

Two of the three categories are unintentional.  With negligence, an employee might knowingly work around a company’s data security policy, but usually for good reason, like taking work home to meet a deadline.  However doing so unintentionally exposes sensitive information.  While negligent behavior isn’t motivated by malice, it involves a conscious decision to act inappropriately.  For instance, a worker transferring documents using a consumer-grade file hosting service that gets hacked, or saving it to an unencrypted thumb drive, tablet or laptop that gets misplaced. 

With accidental breaches, the individual has not made a conscious decision to act inappropriately.  A “fat finger” error would be a classic example, where an accidental keystroke – sometimes magnified by a computer’s eager-to-help autocomplete feature – ends up sending an email and its attachments to the wrong address. 

Mistakes will continue to happen.  But can anything be done to reduce their unintended consequences?  We’ve found that it can.  Part of it is operational.  The rest is behavioral.

Under operations, it involves assessing the value of information that insiders are being trusted to handle, then implementing controls to align information sensitivity with individual job requirements.  Formulating and rehearsing standby plans to handle potential disclosure incidents – not unlike fire drills – is an important element of those measures.

Culture of Trust and Awareness 

Even then, what is fundamental to the success of any organization’s information policies and controls – including carefully-crafted and well-rehearsed ones – is its culture.  Securing understanding, trust and support from the company’s own employees is essential.  Recognizing the value of information they’ve been entrusted with must become a basic tenet of the company’s culture, and everyone needs to understand their personal stake in the organization’s success. 

That sort of trust and engagement doesn’t automatically flow from occasional CEO memos or scripted pre-shift pep talks.  It comes from the example set by senior management in living out best practices.  Trust is earned.  The actions of CEOs are constantly being watched, rumored and whispered among employees at every level of an organization.  What they see and what they say can either reinforce or undermine the company’s formally stated principles.

When employees experience their senior managers behaving in a fair and trustworthy fashion, it helps to build a culture that resonates throughout the company’s workforce.  That culture, in turn, is strengthened whenever managers make clear, in both word and deed, that corporate security policies apply to everyone with privileges– from the C-suite down to the shop floor.  Respect begets respect; disrespect begets disloyalty.

Recommendations for Managing the Risks

  • Assess Insider Risk
  • Apply Controls
  • Align Responsibilities and Privileges
  • Foster a Culture of Trust
  • Recognize Trust Works Both Ways

Conclusions

Organizations need to trust their insiders to protect the information they handle, but will always face the risk of that trust being violated.  To embrace a deeper understanding of trust, organizations must understand where and how they are trusting their insiders, then augment technical and management controls by helping people to become more worthy of the trust placed in them.  In return, organizations should foster a culture that makes the organization worthy of their trust.

Lesson Learned

Sometimes the results can be gratifying.  Once he grasped the significance of his discovery, the restaurateur called the FBI, whose agents arrived within minutes.  After urgent questioning to make sure he hadn’t photocopied and distributed the documents to terrorists, the relieved and grateful agents, now duly chastened and resolved to being more careful in the future, returned to enjoy lunch at the proprietor’s Middle Eastern restaurant for each remaining day of the G-20 conference.  

KEYWORDS: cyber risk mitigation data data breach insider threats

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Steve durbin ceo isf
Steve Durbin is CEO at the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Security newswire default

    New Report Reveals How Accidental Insider Threats Put Organizations at Real Risk

    See More
  • insider threat

    The Human Element: Insider Behavior Facilitates Cyber Attacks, Erodes Business Trust

    See More
  • cyber-data-freepik1170x658x82.jpg

    7 steps to combat cybersecurity threats in times of instability

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing