Data breaches have risen steeply over the past decade. Between 2009 and 2019, the number of data breach incidents grew by 196 percent. More concerningly, the number of records compromised in each data breach incident reaches has risen as well. The 471 million records exposed by data breaches in 2018 more than doubled the previous record, sending shockwaves through the cybersecurity world and emphasizing the need to take action to prevent the ongoing trend of large, frequent breaches from occurring in the future.
Unfortunately, this is easier said than done. Although it is tempting to think of breaches as being exclusively caused by malicious cybercriminals hacking corporate networks, the truth is that a significant portion are caused—or, in the case of phishing attacks, at least facilitated—by insiders. In fact, the most recent Verizon Data Breach Investigations Report (DBIR) revealed that 30 percent of breaches are caused by an internal actor. This means that stopping data breaches isn’t as simple as strengthening perimeter or in-network protections from outside attacks. It requires a thorough understanding of the underlying causes of these internal breaches, and the potential warning signs that employees may be exhibiting—whether they know it or not.
Profiling Every Company’s Most At-Risk Employees
When we think of “insider data breaches,” it’s tempting to think about employees who are intentionally harming the organization or personally benefitting from leaking data; however, it’s important to remember that the majority of internal breach aren’t malicious. There are plenty of cyberattacks designed specifically to exploit tired, overworked, or otherwise unobservant employees, capitalizing on the sort of easy-to-make mistakes that humans are particularly susceptible to. After all, that’s why they call it “human error.”
If an employee clicks a link in a spear phishing email and tries to input their login credentials, that is technically an “internal” breach (even though the scam obviously originates externally) because it was directly facilitated by an action taken by an internal actor. Similarly, sending an email with personal data in it to the wrong Paul or Rachel because autocomplete suggested the incorrect name is still a breach, even if it was purely accidental. What’s more, given the current remote working situation for workers across the globe—one that has resulted in a 23 percent increase in email activity for businesses—these is greater potential than ever for these errors.
Is it possible to put an end to this sort of breach? It hardly seems reasonable to expect an organization to singlehandedly defeat human error, or for CISOs and their security teams to be able to predict the unpredictable. After all, even the employees themselves don’t know when they’re about to make a mistake—that’s what makes it a mistake!
Fortunately, the answer is yes: today, it is possible for organizations to recognize the types of employees who may be more susceptible to risky behavior than others, and address the matter accordingly. In addition to training and education, the solution to the problem involves looking at technical measures to help shore up defenses to mitigate data breaches in real time. There are an the increasing number of security tools capable of identifying anomalous employee behavior, and the process starts with recognizing the most likely culprits. Below, I will identify the six employee profiles that our research has shown most likely to be the cause of an internal breach.
1. Keen Katherine
Employers and employees alike would likely agree that ambition is a valuable thing to have in the workplace. Employees looking to get ahead are more likely to go the extra mile, do the extra work, and ensure projects succeed so that they get noticed. Employees who fall under the ‘Keen Katherine’ umbrella are likely to answer emails quickly—especially emails from company higher-ups—or they may add extra people to email chains so that their accomplishments don’t go unnoticed.
Unfortunately, this has its drawbacks. An employee who is overly eager to impress the CEO is one who is also more likely to fall for spear phishing attacks—especially if they’re new to a company or work in departments like finance or HR, both which makes them prime targets for attackers. By adding extra people to email chains, this type of employee is also more likely to open personal data up to unauthorized access. They run the risk of attaching an unauthorized party to an email containing confidential or otherwise sensitive information, leaving it exposed. Ambition is good, and employees should be encouraged to pursue professional development—but they cannot let that ambition cloud their judgement. Lending these employees a hand by flagging incorrect email recipients (often a sign of spear phishing attempts) can be a big help.
2. Confident Chloe
Like Keen Katherine, Confident Chloe is an employee who means well. Chances are, this employee has been at the company for a while, and has been through security training a number of times. They probably even consider themselves knowledgeable about security in general— and feel confident that they’re far less likely to fall for silly email scams than their colleagues.
Naturally, it’s good for employees to have security knowledge, and a little confidence can be a good thing in the workplace. Unfortunately, confidence can quickly become overconfidence, and employees who think they know every potential pitfall are less likely to pay attention to potentially risky behavior. Email encryption might slip this employee’s mind because they trust the intended recipient. They might also neglect to report potential incidents because they think they know best. Unfortunately, they often don’t know best, and having automated email security in place can help avoid leaving the organization vulnerable in the event that something goes wrong.
3. Tired Tim
Tired Tim isn’t malicious, either—just tired, with too many things on his plate. Maybe he has a new baby at home that isn’t letting him sleep. Maybe he’s a social creature who burns the candle at both ends. Or maybe his job simply requires him to travel a lot, or keep odd hours. Whatever the case, studies have shown that tired employees are considerably less effective than their well-rested counterparts, and more prone to mistakes. Unfortunately, in today’s business world, “mistakes” can carry significant consequences and lead to breaches.
An employee who is tired or disengaged probably isn’t going above and beyond. Sure, they may do the required security training, but they are unlikely to attend non-mandatory sessions or read the company handbook too closely. Not only that, but they are more likely to make simple errors like sending the wrong attachment, emailing the wrong person, or forgetting to use the BCC field. The ability to detect incorrect email recipients can go a long way toward avoiding the damage that tired employees can cause.
4. Reckless Raj
One step past tired employees are employees who are just plain reckless. Reckless Raj represents those employees at every organization who simply “don’t have time” for the extra steps that many security tools add. An employee meeting this profile is generally more than happy to cut corners, possibly even use software programs that he prefers rather than the ones the organization has provided him with. Reckless Raj likely doesn’t view this behavior as irresponsible, either: he sees it as enabling him to get his job done more quickly and efficiently, and shouldn’t his employer appreciate that?
The answer is no, of course. Not only does this behavior violate company policy, but by not taking the time to encrypt emails or double-check their content or recipients, employees like Reckless Raj run the risk of exposing valuable information. It’s best to try to correct this behavior through training and, if necessary, formal performance review measures, but having tools in place to automate security for potentially sensitive data can provide a valuable backstop against future reckless behavior, and is far better than having to deal with a breach that has already happened.
5. Sneaky Sara
This is where things start to get a bit gray. Employees who fit the “Sneaky Sara” profile aren’t exactly malicious, but they certainly aren’t conscientious, either. Sneaky Sara is the type of employee eager to advance her career, whether at her current firm or a competitor. When changing jobs, she will likely send a list of her clients or other valuable information to her personal email address to give herself a head start at her new job and avoid losing years of valuable contacts and relationships. She probably knows this behavior isn’t okay, but she doesn’t view it as wrong. After all, it’s the product of her own hard work.
Exfiltrating privileged data is itself a data breach, regardless of whether a person feels that they have ownership of data. What’s more, removing it from the corporate network, where it is protected, to a personal email address with unknown security carries obvious risks. Once outside the network, the company has no way of protecting this data or controlling how it is disseminated, and hackers deflected by the company’s security tools might find that they have a much easier time infiltrating a lone employee’s email account. Today, there are tools capable of detecting anomalous email behavior and even blocking certain data from being shared inappropriately, making it harder for the Sneaky Saras of the working world to expose their employers to this sort of risk.
6. Agitated Alan
Like Sneaky Sara, Agitated Alan works hard to get ahead. But unlike Sneaky Sara, it hasn’t exactly worked out for him. Maybe he was passed over for a promotion at work, or disciplined for something that he doesn’t believe was his fault. Maybe he’s mad at his boss for perceived mistreatment, or has a personal gripe with a political stance the company has taken. Whatever the case, Agitated Alan has strong feelings of resentment against his employer and is likely to attempt to exfiltrate valuable data in much the same way as Sneaky Sara. Unfortunately, he is less likely to restrict that information to his personal use.
Although the warning signs are different, the solution for Agitated Alan is much the same as it was for Sneaky Sara. Having tools in place that understand what constitutes normal and abnormal behavior and compliance reporting as appropriate can help put a stop to this behavior—or at least make administrators aware of it before it does any serious harm. Agitated Alan is the most malicious of these profiles, but even he may believe he has a good reason for doing what he’s doing, and knowing the circumstances and mindset likely to precipitate this type of risky action can help nip it in the bud.
Preventing Human Error is a Difficult Task—But We are Getting There
Human error can’t be avoided. People have always made mistakes, and they will almost certainly continue to do so until the end of time. Added to this, too many people are afraid to admit when they have made such an error, and too many organizations reinforce this behavior by issuing harsh punishments for honest mistakes.
With today’s technology, organizations have the ability to forge a new path forward. By understanding employees’ behaviors and the specific mistakes they’re likely to make—as well as the underlying causes—they can put appropriate protections in place to not only prevent breaches from happening, but allow employees to correct their own errors before they are made. Prevention, rather than punishment, is the future. As security tools grow smarter and increasingly capable of detecting abnormal or mistaken behavior, email driven breaches will only become easier to prevent.