Every organization that hires employees is evidence that it trusts them to do work faithfully and to the best of their abilities. And the same applies to their vendors and consultants with regards to company information. In most cases, this information comprises sensitive documents and customer data that can significantly enhance the risk of a data breach. Regardless of whether it is intentional or accidental, data exfiltration can be an exorbitant cost for companies such as private equity firms, proprietary trading businesses, hedge funds, and more.
As more and more data breaches are publicly disclosed these days and given the rise of data leaks taking place almost every day, numerous reports and analyses covering issues such as the average cost of data breach occurrences are also taking place. Besides, given the increasing dependence on colossal amounts of data for a smooth running of the business, realizing why such data leaks take place from the inside is now a high level of concern. A decade ago, KPMG organized a study that revealed or reported cyber attacks caused by spiteful insiders was just 4%. Cut to 2017, KPMG announced that the number had risen to almost 90%. This has been a massive, significant increase, that is now highlighting the fact that the risk of data leaks taking place from the inside is a real and consuming issue.
Today, organizations want to know what exactly encourages people to carry out data leaks within their company and what can be done to cut down the risk of such occurrences. All this while preserving the identity of the individual and obtaining visibility and reasoning behind it. The solution involves finding a holistic balance between employees, procedures and technologies.
Here we look into some of the factors that drive people into being the causes of a data breach incident within their company.
Individuals are sometimes driven by specific, occasionally unknown, motivating factors. This is same for potential insider threats in your company if you can realize that motivating factor or intention. Knowing about these can help your company in decreasing the risk of a data breach.
Typically, there are two types of insider threats: unintentional and purposeful. Primarily, it is seen that accidental insider threats generally are the greater of the two that have grave consequences.
In either case, data leaks take place either due to internal staff, or vendors and independent consultants that have specific access to confidential and sensitive documents and information. While it may not be feasible to cover them all, here are some of the general motivations connected to each category.
Purposeful or malicious insider threats
Based on emotions: If a staff member or employee is bitter, frustrated, jaded or discouraged based on an internal situation involving company management or the workplace, the possibility of that employee acting out purposefully or maliciously is high. For instance, an employee who’s frustrated with their role or remuneration could choose to exfiltrate sensitive IP and sell it to a competing firm. These documents could include content regarding investments, quantitative trading logic, client information and credentials, pitches, merger and acquisition details, accounting information and more.
Based on money: Typically, this is not a massive surprise since cash can be a primary motivator for many people. If a staff member is experiencing financial difficulties or is looking to advance their economic status, they could have the opening of exploiting their position within the company for monetary yields. For instance, employees that have access to critical data could use their position to obtain high-value documents and sell them. The data could include assets trading, mining, blockade technologies, and high-value processes.
Based on politics: Although there have been numerous appearances of state-sponsored data breaches and corporate espionage, such incidents are viewed as unlikely. The main reasons for employees in initiating a data breach could be national pride, political motivations, or a combination of the above two types in addition to this. With financial gains and emotional repercussions, a malicious insider could be motivated to sell or share sensitive documents and information. Data at risk could include high-profile investor credentials, investment data, important project names, and more.
Accidental data breaches
Lack of knowledge: If an employee is unaware of technologies and does not understand the implications of their actions, this could be a risk factor in becoming an unintentional data leak. Companies that have weak data security policies or overly technical information that is not guarded by a proactive document security solution such as digital rights management can be at risk of a breach.
Ease of use: Today, simplicity and effortlessness overwhelm almost everything else. If an organization has stringent cybersecurity policies, some employees may find ways to bypass them and look for convenient yet unsecured locations to store classified data. For instance, transferring documents and PDF files to cloud storage applications or forwarding classified data to personal accounts to work remotely can be a hazard. If sensitive and confidential data is stored in PDF files then applying some form of PDF protection such as PDF DRM can go a long way in ensuring documents uploaded outside of the enterprise are safe from data breaches.
Theft or misplacement: As more and more employees are working on the go, the threat of snooping eyes trying to get into protected devices and the danger of misplacing or losing company data and equipment can be high. For instance, leaving a smartphone at the local coffee shop or misplacing a company laptop at the airport terminal can result in data breaches.