Colossal data breaches have grabbed the nation’s headlines for the past couple of years. Each incident prompts solemn corporate pledges to
do everything possible that would prevent its future reoccurrence.
However, the cycle of alarm, dismay and reassurance, along with the hasty measures that typically follow, are now almost ritual. The response to violations of data formerly considered secure has morphed from shock to shrug. Attacks on institutional and corporate databases have become the new normal. And a generation of workers accustomed to information sharing has grown numb to its negative consequences.
Most of the high-profile attacks on corporate data centers and
institutional networks have originated outside of the victimized
organizations — in many cases from halfway around the world. But the
network openings that allow outside cyber attackers to burrow in, infect
databases and potentially take down an organization’s file servers,
overwhelmingly originate with trusted insiders.
In some cases, those insiders are driven by malicious intent — the desire to enrich themselves through the sale of sensitive data or to retaliate for a perceived slight or mistreatment. There are also cases where a company’s third-party contractors, vendors or temporary workers — essentially privileged users — have been responsible for their client’s network breaches, either through malice or by accident.
However, according to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those network openings were created innocently through accidental or inadvertent behavior by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task like taking files home to work on in their own spare time.
When it comes to sensitive health-care data, according to the U.S. Department of Health and Human Services Office for Civil Rights, the Top 5 breaches for the first few months of 2016 didn’t even involve malicious IT hacking. Instead, theft, loss, improper disposal and unauthorized email access or disclosure were behind the largest incidents in 2016.
There are three types of risky insider behavior, each requiring a different approach:
Malicious: Malicious insider behavior combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated.
Negligent: Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.
Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones. According to Verizon’s Data Breaches Incident report, accidents accounted for almost 30 percent of the information security incidents in 2015.
However, the cycle of alarm, dismay and reassurance, along with the hasty measures that typically follow, are now almost ritual. The response to violations of data formerly considered secure has morphed from shock to shrug. Attacks on institutional and corporate databases have become the new normal. And a generation of workers accustomed to information sharing has grown numb to its negative consequences.
In some cases, those insiders are driven by malicious intent — the desire to enrich themselves through the sale of sensitive data or to retaliate for a perceived slight or mistreatment. There are also cases where a company’s third-party contractors, vendors or temporary workers — essentially privileged users — have been responsible for their client’s network breaches, either through malice or by accident.
However, according to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those network openings were created innocently through accidental or inadvertent behavior by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task like taking files home to work on in their own spare time.
When it comes to sensitive health-care data, according to the U.S. Department of Health and Human Services Office for Civil Rights, the Top 5 breaches for the first few months of 2016 didn’t even involve malicious IT hacking. Instead, theft, loss, improper disposal and unauthorized email access or disclosure were behind the largest incidents in 2016.
Malicious: Malicious insider behavior combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated.
Negligent: Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.
Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones. According to Verizon’s Data Breaches Incident report, accidents accounted for almost 30 percent of the information security incidents in 2015.
Комментариев нет:
Отправить комментарий