The global shift to remote work that began during the Covid-19 pandemic brought terabytes of sensitive data online for the first time. Shortly on the heels of this explosion of remote access points, the amount of cybercrime that targeted private data surged, reflecting the drastic increase of opportunities.
From 2020 to 2021, reported data breaches rose 69%, from 1108 to 1862 globally. Looking at targeted companies and institutions, it’s clear that this crime wave has disproportionately affected the United States as U.S.-based organizations account for 59% of breaches and a startling 97% of stolen records.
For U.S. organizations who collect personally identifiable information such as financial or medical records, effectively stemming the tide of breached data will require a reckoning with an uncomfortable truth about the primary source of these attacks.
Data Breaches and the Insider Threat
While hacking dominates the public imagination and discourse over data breaches, the less shadowy — and more mundane — reality of cybersecurity is that most systems are breached from the inside, either accidentally or with criminal intent. A recent Stanford University study demonstrated that human activity accounts for 88% of data breaches. Of these, 60% involve deliberate malicious activity by individuals within the breached organization.
Infosec experts dub this threat vector “the insider threat” and it is rapidly emerging as a top data security concern, with 68% of organizations reporting a significant uptick in insider threat incidents within the last twelve months. As the transition to cloud computing continues, companies are finding it increasingly difficult to detect insider threat activities in their fragmented multi-cloud systems.
To fully appreciate the organizational depth of the insider threat, IT and security teams need to understand the different exploitable pathways.
Non-Malicious Human Error: First American Financial Corp
In 2019, an improperly validated deployment of the website of First American Financial Corp — a premiere real estate title insurer — inadvertently exposed 885 million private financial records from its customer data. A real estate developer who was a client of First American discovered the vulnerability by accident and reported it before any malicious exploits occurred.
The vulnerability involved unintentional exposure of unauthenticated URLs. Once a user had a valid customer profile URL, the same user could access all profiles in First American’s databases by cycling incremental changes in the profile URLs.
While First American narrowly escaped a financial catastrophe, the potential breach still provides an important lesson regarding the value of maintaining sufficient technical oversight of developers and IT staff whose accidental errors pose a significantly more weighted risk than other employees.
Malicious Insider Activity: T-Mobile
Sometime in early 2022, a security-privileged employee — or employees — of T-Mobile sold escalated user credentials on a dark market. The buyer — the well-known cybercriminal organization Lapsus$ — gained access to T-Mobile’s central servers on several occasions and eventually succeeded in stealing the company’s source code.
In the last 18 months, similar breaches enabled by illegally trafficked credentials have targeted Microsoft, Nvidia, Samsung, and Okta. While vulnerability to this breach vector ultimately depends on unpredictable human choice, organizations can mitigate the risk by implementing policies that extend less privilege to users and configuring relevant security tools, such as firewalls and intrusion detection systems, to log granular user session data so that user credentials always associate uniquely with individuals.
>> Related read: Personally Identifiable Information Policies: Does Your Company Need One?
Stolen Credentials: Sears and TRW Information Systems
It’s important to remember that electronic data breaches antedate the internet. Careless storage of physical data assets has always introduced dangerous vulnerabilities into information systems. The most notable example in this vein comes from a simple in-store theft at a Sears Roebuck location on the West Coast in 1984.
Taking advantage of the technology of the day, the thief posted a stolen password for a customer data file of TRW Information systems to an electronic bulletin board, making the 90 million record contents of the file accessible to subscribers over the phone. Sears did not discover the breach for more than a month.
Although companies today operate on entirely different platforms of technology, the incident serves as a reminder to prioritize the safe storage of any physical assets that may expose sensitive data such as passwords written on post-it notes or day planners.
Mitigating the Insider Threat
Successfully limiting the insider threat in any organization requires a holistic coordination of people, processes, and technology. For the most unpredictable element — human activity — tackling the insider threat begins with screening, onboard and continuous training, and rigorous in-house monitoring.
In day-to-day operations, organizations need clearly-articulated and enforced standards for infosec practices, known in many industries as personally identifiable information (PII) policies. Undergirding human activities, current technologies that obviate many preventable human errors — such as secure integrated platforms for storing and sending sensitive documents — will serve as a force-multiplier for even the best practices and policies.
Keep Your Data and Documents Secure
FileInvite’s SOC 2 Type 2-secured document collection platform can radically streamline the commercial lending process, including even the stringent requirements of SBA loans. With automated notifications both for loan officers, clients, and even administrative staff added to the account, FileInvite’s protected one-stop document portal accelerates document collection while maintaining the highest standards of security. Sign up for a free trial to learn more.