Larcenous, careless, curious employees are major source of data breaches

July 16th, 2010

Identity management firm Cyber-Ark Software recently released results of its fourth annual “Trust, Security and Passwords” global survey of more than 400 senior IT professionals in the United States and the United Kingdom, mainly from large corporations. In this LastWatchdog guest blog post, Adam Bosnian,  Executive Vice President Americas and Corporate Development, expounds on why employees represent a notable threat.

By Adam Bosnian

Organizations remain highly susceptible to losing valuable intellectual property to the very people they hire to utilize and protect it—their own employees.

For the fourth year in a row, more than 30 percent of respondents to our annual “Trust, Security and Passwords” global survey confessed to abusing powerful and often-anonymous administrative passwords to snoop on sensitive or confidential information.

Some 35 percent of respondents, most of whom are IT professionals, believed their company’s data had already been sabotaged and passed along to a competitor—whether intentional or not. As the survey results suggests, it is critical to understand that providing employees with unfettered access to data can lead to severe consequences. Organizational protocols that ignore these threats and rely on trust alone are dangerous and threaten business sustainability.

Unmonitored access and over-granting of privileges remain prevalent security issues. More than one-third of our survey respondents pinned ex-employees as the culprits behind stolen data. This should surprise no one. Disgruntled workers, often the victim of the recession and a non-performance related termination, typically have the most to gain and least to lose in these instances. These employees are considered to be some of the most risky. In a recent example, a senior database administrator at GEXA Energy, a Houston retail electric utility provider, has been sentenced to one year in prison for hacking into the computer network of his former employer and damaging a customer database. The administrator had his credentials revoked at the time of his departure, but was still able gain access and send malicious commands.

With applications running on-premise and in cloud environments, insider attacks can come from anywhere. With more and more corporate data stored off-premise, for example, companies intentionally or unintentionally allow broad access to sensitive data via cloud-based services or mobile devices. This increases exposure to internal espionage and external hacks. In these instances, the employee, whether the pawn or the aggressor, plays a significant role in the interception.

The proliferation of administrative and privilege accounts that have elevated access to sensitive data and systems doesn’t help. Without the proper controls in place to monitor and manage related passwords and users, including granting privileges on-demand, the threat level remains substantial.

Finally, we must always consider the human element at play—it is human nature to have the desire to snoop around and uncover sensitive information you have no right to access. In other words, people are people, and bad things can happen accidently or maliciously when curiosity gets the better of us. It is vital to maintain organizational accountability for the loss and inappropriate access of sensitive corporate data and intellectual property.

While employees are frequently to blame, it is ultimately the organization’s responsibility to set and enforce access policies. While trust may be a valuable tenet in your human resource program, it has no validity as a security policy.

About the author:

Adam Bosnian is Executive Vice President Americas and Corporate Development at Cyber-Ark Software. He has more than 15 years of experience in defining and implementing successful security strategies. Bosnian was Vice President of Sales and Marketing at Elron Software (acquired by Zix Corporation.) Prior to Elron, Bosnian served in a series of marketing executive roles at InterSense, Spacetec Corporation and New Media Graphics Corporation.  He holds a Bachelor of Science in Electrical Engineering from Worcester Polytechnic Institute.