Insider-caused data breach

An employee accesses or allows outsiders to access IT resources, either virtually or physically, to steal data or enable the theft. Some cyber criminals offer large sums for employees to sell their access. The employee can use their inside knowledge to   make it harder to detect what they have done, and often IT employees are likely to be involved.  

An employee exploits their knowledge of internal practices, controls, or weaknesses to engage in fraud or theft, typically by working with someone outside the organisation. The employee is more likely to be someone outside of IT. 

Employees looking at personal data without a legitimate business reason can occur in many industries but is particularly common in healthcare, where the law strictly protects patient information, and also in financial services 

Enforce the principle of least privilege. Audit privileged accounts and activities involving access to sensitive or strategic information regularly. Phishing-resistant MFA not only helps secure your network but can make it easier to attribute suspicious activity to an individual during an investigation.  

Good asset management makes it harder for an insider to leverage assets owned by the organisation against the organisation. A third-party attack surface monitoring (ASM) solution can help to protect assets that are vulnerable and exposed to the Internet, depriving an insider of the ability to leak sensitive data to externally for malicious purposes.  

Set up silent alerts that are triggered when an employee attempts to modify or delete logs. Centralised logging makes it harder for an insider to alter or manipulate their actions to cover their tracks. 

Encourage a culture of reporting. Train all employees about their role in protecting the organisation against cyber threats, and  inform them about your logging and auditing practices. In healthcare, train employees about the risks of unauthorised access or access beyond the necessary minimum for their role.  

Make sure logging and log retention options are configured correctly. Forensic investigation that identifies what the insider has done can help to ensure the appropriate scope for any notification that may be required. 

Zero Trust is a security model that restricts access to any resource on a network until the person or device is verified for that access, whether they are internal or external. Using Zero Trust principles for designing and implementing the network and services on the network can reduce insider risk by limiting the scope of insider activity, because a user connected to the internal network is not necessarily trusted more than external users.