Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Leadership and ManagementCybersecurity News

The Human Element: Insider Behavior Facilitates Cyber Attacks, Erodes Business Trust

By Steve Durbin
insider threat
November 2, 2017

The mysterious foreign villains striking the largest companies and political organizations from the dark corners of the Internet tend to get the splashy headlines. However, the network openings that allow outside cyber-attackers to burrow in, infect databases, and potentially take down an organization’s file servers overwhelmingly originate with trusted insiders.

No business is immune from cybercrime and the theft of personal information and intellectual property will increase as the ability to turn raw data into money-spinning opportunities increases.  The response to cybercrime is a business decision – and is all about risk management.  Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls. 

In some cases, those insiders are driven by malicious intent – either to enrich themselves by selling sensitive data or to retaliate for perceived mistreatment. There are also cases where a company’s third-party contractors, vendors or temporary workers with access credentials have been responsible for their client’s network breaches through ill intent, negligence or accidental disclosure.

According to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those insider-originated network openings are created without any intention of harming their employer. In a number of cases vulnerabilities resulted from trusted employees in the course of their normal work routine: taking files home to work on in their own spare time, or unsuspectingly opening a phishing email or clicking on a malicious link.

A recent report highlighted that 42 percent of healthcare data breaches analyzed were “accidental disclosures.” A brief review of reported incidents on the U.S. Department of Health and Human Services Office for Civil Rights site shows several sizable breaches (and many more involving fewer than 10,000 records) due to laptop theft, loss, improper disposal, and unauthorized email access or disclosure over the last two years.

Recent ISF research developed a classification of insider breaches that identifies three basic types of risky insider behavior. Each type requires a different approach.

Malicious: Malicious insider behavior combines a motive to harm with a decision to act inappropriately. An example is the disgruntled or conniving employee who turns over sensitive proprietary information to a competitor after being terminated.

Negligent: Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.

Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones. According to Verizon’s 2017 Data Breach Incident Report, errors accounted for 14 percent of breaches. Social attacks accounted for 43 percent of breaches, and one in 14 users were duped into opening an attachment or following a link, many of them more than once.

 

Unintentional Damage

A loyal employee’s weekend work on a confidential company document downloaded through their local coffee shop Wi-Fi can expose the user and their employer to anyone within range who wants to piggyback on the employee’s signature and gain access to sensitive files. The same applies to moving data over consumer-grade FTP services, responding to authentic-looking phishing messages, careless password management, misplacing devices containing privileged information, visiting an infected website, or opening a Trojan horse virus attached to a seemingly normal email.

A typical accidental breach might involve misspelling an email address (often compounded by the autocomplete feature), which results in the message and its attachments going to the wrong person.

All of that has happened – and it continues happening with such great frequency that it has largely resulted in public fatigue over data leaks. That blasé attitude is not shared by information security professionals; indifference compounds an already thorny problem – one that grows more challenging each year. Frequent, well-intended admonitions to employees urging them to take security seriously by creating strong passwords, to study policy documents and to otherwise do the right things, are too often given lip service or overly broad interpretations.

Boilerplate email disclaimers warning recipients to immediately delete the message if he or she is not the intended recipient are routinely ignored. Lists of hard-to-remember and frequently changed passwords are typically written down and kept within easy reach of the person’s computer. The distinctions between work and personal information kept on an employee’s mobile devices are increasingly hazy, as are related employer policies. Bring Your Own Device (BYOD) policies create a persistent challenge. Social media use has extended from individuals communicating with one another to organizations interacting with customers, investors and other constituents on a real-time basis.

 

The Payoff

Hard data on the incidence of non-malicious disclosures by insiders is difficult to come by, largely because much of it never gets reported. We suspect the main reason is that in many cases the employee’s inadvertent disclosure – although often a clear breach of written policy – never resulted in any harm. Most people who unexpectedly receive an email with a long file attachment containing other people’s financial, health, or legal information would probably be puzzled and recognize that it was sent in error. So, the data, however sensitive, would never amount to anything more than a curiosity.

But those are not the examples companies typically worry about. The cases where unintended breaches really matter are those where a security gap – created either by trickery or mistake – is recognized and exploited by someone bent on monetizing (through sales or ransom) the proprietary information they have been able to capture. Wholesale opportunities to sell and leverage stolen credit and identity data are available worldwide through a multi-billion dollar industry of darknet sites run by increasingly sophisticated criminal organizations.

 

The Human Element

Combatting the wholesale theft of data by limiting inadvertent actions that could lead to its misappropriation should be a priority for every organization. Investment in technologies that can help to prevent intrusions and protect data from attackers – and there are many such options available – is essential.

However, the most fundamental element of threat is deeply human. It starts with the proper vetting of employees to look for signs that the individual has not, in the past, been a responsible steward of information entrusted to them. Applicants whose pasts have included questions over managing information should not be brought onboard.

Even so, the temptation to categorize job applicants as either good or bad is naive. While people who have shown themselves to be untrustworthy in the past are certainly a gamble, but even good people have the capacity to willfully misuse their data privileges. Particularly when someone feels as though they have been mistreated, disrespected, or abused, an otherwise trustworthy person could develop the motivation and ability to retaliate. Therefore, an important part of the solution is to avoid putting employees into situations that are likely to undermine their trust and engender resentment.

 

The Trust Factor

I cannot stress this enough: employees and negligence are the leading causes of security incidents but remain one of the least-reported issues.  The fightback starts not in the organization but with people and increasingly in the home.  More and more security professionals need to be re-assessing the risks to company data at a personal level – mobile/consumer devices, internet-connected devices, cloud access and storage both inside and outside the corporate environment. 

By 2019, it is projected that mobile devices will capture more data online than all other devices put together, and for many small businesses of course this is already the norm.  Against this emerging landscape, security should be aiming to become a strategic and an intrinsic part of the way we behave online. For security professionals, this presents challenges and today’s successful CISO’s are increasingly becoming “people’s people” – technically competent but highly business-aware, charismatic individuals with strong people skills.

What is needed is the cultivation of a culture of trust. Cultivating this philosophy is likely to be the single most valuable management step in safeguarding an organization’s mission-critical information assets. After new employees have been satisfactorily screened, continue the trust-building process, starting with onboarding procedures, by equipping them with the knowledge and skills required of trusted insiders.

Expectations of trustworthy behavior – and the consequences of non-compliance – should be made explicit from the outset. Over time, trust should remain an important factor in periodic performance reviews. Mechanisms for anonymously reporting suspicious workplace behavior should be made available to all levels of staff.

Above all, senior management must lead by example. Building a culture of trust around shared values, ethical behavior and truth begins at the top. Security awareness and the importance of cyber hygiene has to be regularly addressed in communications, trainings, and policies. Trust and ethics are increasingly important, not only to information security, but also to customer relationships, brand-building and competitiveness.

 

 

KEYWORDS: cybersecurity training insider threats reputation security security culture security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Steve durbin ceo isf
Steve Durbin is CEO at the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • bored-enews

    Enterprises at Risk from Accidental Insider Threats

    See More
  • resilience-freepik1170x658v.jpg

    The human element to cyber resiliency

    See More
  • SEC1119-AI1-Feat-slide_900px

    Reducing the Risks Posed by Artificial Intelligence

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing