Thought leadership. threat analysis, news and alerts.
Insider Data Breach: An Enemy Within
Last week, an international health insurance company publicly acknowledged that one of its employees stole information that affected records of 547,000 customers.
The affected company said that while the stolen records didn’t include financial or medical data, records including names, dates of birth, nationalities, contact and administrative details were stolen. The company said that the employee responsible was fired immediately after the breach was discovered and is taking appropriate legal action.
DataBreaches.net first reported the data breach of this international health insurance company when a vendor calling himself or herself on the dark web as “MoZeal” claimed that he or she has over 1 million records for sale.
When contacted about the pricing, according to DataBreaches.net, MoZeal allegedly replied:
"Thanks for your inquiry bro, but before i start talking about pricing i would just like to clarify that this medical database is the only unique db if not only one on the entire dark web market with over 1million entries and over 122 countries as a whole not to mention its come straight from one of the world class health insurance companies. so you can imagine the information is very sensitive but also exclusive."
The international health insurance company disputed the 1 million records claim, and said in a statement, “Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken, relates to duplicate copies of some records.”
This latest data breach incident shows the weakest link in cyber security: insider.
Who is an Insider
An “insider” can be anyone who has physical or remote access to your company's confidential data. Although an insider often refers to your employee, your business partner, client or maintenance contractor who has access to your company's confidential data can also be considered as an insider.
An insider can either be a malicious insider or an inadvertent insider. An inadvertent insider can be an employee who was tricked to download a malware-laden document which then gives cyber criminals access to a company’s confidential information. A malicious insider refers to anyone who snoop files, steal information, and those who appeared to have knowingly violated the law.
Extent of Insider Data Breach
IBM’s global threat intelligence report found that over 200 million financial services records were breached in 2016. Fifty-eight percent of the data breach in 2016 in the financial services sector was a result of insider attacks, while outsider attacks were only 42%. Of the 58% insider attacks, 5% of which were made by malicious insiders and 53% were made by inadvertent insiders.
The IBM report also found that in 2016 the healthcare sector was more affected by insider attacks (71%) than outsider attacks (29%). Out of the 71% insider attacks, 25% of which were malicious insider attacks and 46% were inadvertent insider attacks.
For its part, Protenus reported that 43% of the 2016 U.S. health data breaches – total of 192 incidents – were the handiwork of insiders. Of the 192 insider breaches, 99 of these incidents were a result of inadvertent insiders, 91 incidents were a result of malicious insiders, and in 2 incidents there was insufficient information to determine whether the incidents should be considered as inadvertent or malicious.
Health Data Malicious Insider Breaches Take 607 Days to Discover
According to Protenus, in 2016, the average days for healthcare organizations to discover they had a health data breach was 233 days. The most troubling part of breach discovery, according to Protenus, is in cases of malicious insiders in which the average discovery period was 607 days – more than double the typical data breach discovery period.
Protenus gives two explanations why it takes so long to discover a breach:
1. Limited Budgets and Resources
With limited budgets and resources, not all organizations will be able to detect breaches in an automated and precise manner.
3. Reactive Approach to Data Breach
Many organizations have taken a reactive approach to data breach – only worrying about breaches once they are brought to their attention by the affected party or third party like the media.
“Insiders are a very real risk to the security of patient data,” Protenus said. “The high number of breach incidents, and the fact that these small-scale breaches can often go undetected, make these breaches especially devastating.”
How to Prevent Insider Data Breach
Here are two ways to prevent insider data breach:
1. Educate Employees
According to IBM, the reality that the cyber insider attacks targeting the healthcare and financial service sectors were largely the result of inadvertent insiders may be due to these industries having a greater susceptibility to phishing attacks.
Phishing attack happens when cyber criminals try to trick you into sharing personal or work-related information online. Cyber criminals typically use email, ads, or sites that appear similar to sites you already use as common phishing methods. An email that appears like it’s from your bank requesting that you confirm your bank account number is an example of phishing.
One way to prevent inadvertent insider attacks is by educating employees – through in-person instruction, video, webinars – about phishing and how to avoid becoming a victim.
2. Automation and Preventative Controls
To prevent data breaches both from malicious and inadvertent insiders, it pays to invest in automated data breach detection tool. If an organization only depends on one or two persons to detect data breach, it will take some significant time before the breach can be discovered. With automation, the threat can be detected immediately and in a precise manner.
“We predict that 2017 will be the Year of Insider Breach Awareness, with organizations realizing that this constant and significant problem has gone unaddressed for too long, with the focus for the last couple of years being more about catching up on external threats,” Protenus said.
While the great majority of our business partners, employees, clients and contractors pose no threat, it pays to be proactive in detecting data breaches. While it takes only a few minutes to steal data, it can take months and years to recover data and rebuild positive business reputation.
When you need to protect your data against the insider threats, and don't have in-house expertise, please contact us and we will be happy to help.
Steve E. Driz, I.S.P., ITCP