With over 1,100 internal security breaches occurring in UK businesses every day, when mitigating the risk of data loss the first place to look is probably your own employees.
Awareness of internal security is growing, in part due to the Edward Snowden effect. In taking files from the NSA to the world's media, Snowden was the source of one of the highest profile information leaks of all time. But at the time of his getting access to those files, Snowden was not in fact an employee of the NSA. He was a contractor.
Now, this might seem like a bit of an irrelevant distinction, but in fact it is an important consideration.
The extended organisation
In our recent research report, 'From Brutus to Snowden: a study of insider threat personas', we dissected how attitudes to security differ across demographics, industries and job roles.
The research was based on a survey of 2,000 UK and US-based office workers, and one split we looked at was the relationship those workers had with their employers. That way we were able to see the difference between full and part-time employees, vendors, partners and contractors.
Many of the results were startling. Looking at the habits of password sharing (a common cause of internal security breaches, and the way Snowden managed to get access to colleague's files), partners and vendors appear to be far worse than any other group.
Those who described themselves as vendors in particular seem to share passwords as a matter of course, with 73% having shared theirs with one or more colleagues compared to the organisational average of 23%. Partners are also twice as likely (46%) than average to share passwords.
If you consider another big security breach, the one that hit US retailer Target, you can see in practice the potential security weakness that the extended organisation constitutes. The breach occurred via email phishing, sent not to employees of Target, but to employees of an HVAC firm working with the business.
One of the reasons why a vendor, partner or contractor might not have the same attitudes to your business' security is that they do not have quite the same incentive to be conscientious as a full-time employee.
Another group that lacks this kind of incentive is, of course, ex-employees. And our research dug up some interesting insights about them too.
In fact according to our research, at least a third of all ex-employees are aware that they continue to have access to data and systems from their former workplace. This number is also a lot greater for younger generations, as high as 58% of those aged 16 to 24 and 48% for 25 to 34-year-olds. This suggests that generally, those who have left a job more recently are likely to have continued access to their ex-employer's data or systems.
Furthermore, 9% of all desk-based workers have not only had access, but used it. That's almost one in 10 having gone into the systems or data of a former employer.
Tackling the problems
The issue of ex-employee network and data access is, when you think about it, absurd. It is so simple to restrict access to former employees, just by making password changing and account deactivation a systematic part of the termination process. However, clearly a significant proportion of businesses are failing to do this.
The wider extended enterprise on the other hand – partners, vendors and contractors – represents a more complex problem. Your normal full-time users (should) undergo security training and you have more opportunity to educate them on appropriate working practices. A partner organisation may require access to your systems and data in order to operate, but its employees are less educated on your security policy, and even if they were, they have less incentive to follow it.
The only answer here is to employ technology to help solve the problem. Integrate solutions that combat bad practices such as password sharing right into your systems in order to tackle them. You may not be able to require a vendor's employees to attend a training session, but you can ask them to agree to usage terms and notify them of your policy via technology.
Whether considering ex-employees, vendors, contractors or partnership organisations, the broader message is that insider threats are not limited to your current full or part-time employees. Internal security has to be end to end. In fact it is arguably more important to apply across your extended organisation and even beyond to those who have left the business.
- Francois Amigorena is founder and CEO of IS Decisions