The enemy within: three types of employees that cause data breaches

Negligent employees are the leading cause of data breaches at small and medium-sized businesses across North America and the UK, according to a recent study from Keeper Security.

But what do these incidents really look like on the front line? IT Governance investigates.

1) ‘Gloogle Gate’ – starring Innocent Ian

Ian doesn’t mean any harm. He’s trying his best. But his best isn’t good enough, because this year Ian singlehandedly caused a data breach that cost his company more than £20,000.

Back in February, Ian fell foul of a phishing attack when a seemingly innocuous email from that well-loved search engine ‘Gloogle’ landed in his inbox.

Ian knew to avoid malicious emails – after all, he’d yawned through his organisation’s mandatory staff awareness training when he joined two years ago.

But this email was from Trish in HR (via Gloogle), and Ian could trust Trish. Or so he thought. So, no alarm bells rang when, upon clicking to view the ‘project management folder’, he was prompted to re-enter his login details.

Unbeknown to Ian, this email wasn’t from Trish. This email was from a hacker, and as Ian entered his user credentials into ‘Gloogle Docs’, a malicious script activated in the background – hijacking his user session cookie, resulting in a reflected XSS attack.

In one fell swoop, the hacker gained access to all of Ian’s user data, including login credentials and company credit card numbers.

Unfortunately for Ian’s employer, the breach wasn’t immediately detected, and it took six weeks before the finance department noticed the influx of fraudulent transactions.

2) ‘What a Mug’ – starring Careless Colin

Colin might be an engineering consultant by day, but his real passion involves loitering in his local branch of Starbucks pretending to be more important than he really is. Last year, this passion cost Colin’s employer dearly.

It was October, and to Colin that meant only one thing – Pumpkin Spice Latte season. Unquenched by his first venti aspartame injection, Colin made a beeline to the counter for round two – leaving his MacBook Air unlocked in the process.

Unfortunately for Colin, there was an opportunist thief in the midst – and before you could utter ‘frappuccino’, Colin’s beloved 13.3-inch slab of aluminum had disappeared into the sunset with its proud new owner.

Not only was Colin left laptop-less, he’d also put the confidential data of his firm at risk – and the consequences were catastrophic.

You see, MacBook Mugger wasn’t dim – and it wasn’t long before the value of the information within was realised. And so, in just a matter of hours, the personal data of all 4,321 of the firm’s clients was up for grabs to the highest bidder on the dark net.

3) ‘You’ll Regret That’ – starring Malicious Martin

‘Dedicated’, ‘conscientious’, ‘a real team player’ –  none of these are accolades that could be used to describe Martin. But after more than a decade of contributing the bare minimum, Martin was the longest-serving member of the IT administration team – and nobody could take that away from him.

So, when, last month, he was passed up for a promotion in favour of a colleague 20 years his junior, Martin was apoplectic.

Unfortunately for his employers, although Martin’s skills were rarely executed, he was incredibly adept at networking and systems engineering. Blinded by rage, it took him less than five minutes to select and delete his organisation’s entire group directory – causing catastrophic damage.

The business went bust.

Combating internal threats

Staff can easily undermine your organisation’s cyber security, and almost every business will have an Innocent Ian, Careless Colin or even a Malicious Martin in their midst. So, what can be done to mitigate these threats?

Don’t let your staff be your point of failure

Education is prevention. Find out how to generate tangible and lasting organisation-wide awareness with our Information Security & ISO27001 Staff Awareness E-Learning Course >>