Paul Dyson, Director of Professional Services & EMEA Operations, Courion
Paul Dyson, Director of Professional Services & EMEA Operations, Courion

On 17 July 2015, a senior internal auditor was sentenced to eight years for carrying out a data breach against his own company. The case of Andrew Skelton and his deliberate theft of the personal data of so many Morrisons employees is a dramatic example of an insider hack.

Much of the reporting of this story focused on how Skelton became enraged with his employer, after a dispute about using the mailroom for personal parcels. However, it is important to learn from the details of this case because it also highlights how privileged access rights can become a blind spot when organisations are trying to reduce the risks of data breaches and serious electronic crime.

While many data breaches are external attacks, the scale of insider threats and attacks is becoming better understood.

According to the Verizon 2015 Data Breach Investigations Report, 55 percent of all insider breaches in the last 12 months were highlighted as privilege abuse; or in other words, an employee or outsider taking advantage of assigned access privileges. Of these cases, financial gain and convenience were reported as the primary motivators. Therefore, companies can't afford to be complacent about how they manage their employee user access in order to protect against data breaches.  

Strategies for dealing with a data breach threat from the inside might start with how an organisation monitors for concerning employee behaviours. The behavioural risk indicators to look out for range from the employee being self centred, entitled and intolerant of criticism, to harbouring feelings of being undervalued. On the other hand, employees least likely to go rogue are those who work well with others, display genuine warmth and compassion and can express their anger and frustration appropriately, according to some US academics.

Clearly, human resource directors and their teams should have the skills to see these indicators and thus play a pivotal role here in helping to foster a secure working culture through how staff are recruited, supported and managed.  However, while it is possible for an organisation to train line managers to spot odd or suspicious employee behaviour, doing this in isolation without also monitoring what information these employees have access to would be a costly mistake – potentially a two million pound mistake as Morrisons discovered!

It's also likely that an insider hacker will be as sophisticated as an external one. Indeed they may have direct access to more opportunities to hide their exploit, especially if they are able to operate within the business using multiple accounts under different identities, or possess access privileges from previous roles that are no longer appropriate and should have been terminated long ago. The most renowned incident of this nature was the Societe Generale breach in 2008, where a rogue insider cost the French bank US$7.2 billion (£4.6bn) in fraudulent trades, exploiting personal knowledge and credentials he had carried forward from his previous job as an auditor.

Abuse of privileged user access rights can have far-reaching consequences that are difficult to deter. The good news here is that while there are HR techniques that might spot early signs of suspicious behaviour, there are also more automated ways to predict behavioural patterns.

Users tend to leave footprints wherever they go on the network, and their activities can be collected and scrutinised using predictive analytics. These are able to sift through huge volumes of user activity and pinpoint and analyse the greatest access risks in real time, enabling businesses to quickly identify misuse of access privileges and take appropriate actions to mitigate the potential damage for their organisation before the insider hack occurs.

With the use of real-time access insights, organisations will be able to detect not only existing security vulnerabilities but also potential risk areas and identify the actual causes for these risks. This will result in improved control over how sensitive data is being used and shared by employees, and a better understanding of access risk.

Ultimately the best practice for protecting your organisation against insider misuse may come down to a much more holistic approach that blends technology with the skills of an organisation's human resources leadership. With the disruptive access intelligence solutions now available, enterprises can weigh the risks to vital assets such as intellectual property and customer information and settle them instantly, avoiding the hefty two million pound liability cost!

Contributed by Paul Dyson, Director of Professional Services & EMEA Operations, Courion.