Don’t look now, but the biggest security threat to your law firm data is most likely sitting right under your nose.
Although you might think nefarious outside hackers are your number one worry, in reality your current and former employees pose a much greater danger.
The threat may come from a disgruntled worker with malicious intent or a careless employee with sloppy security practices.
“While most companies imagine security threats in the form of malicious outsiders, the employees already in your organization may pose an even bigger threat,” writes cybersecurity expert Rob Sobers for MultiBrief. “Research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches. These insider threats are dangerous because they can come from almost anywhere — a jilted ex-employee bent on personal revenge, a malicious insider looking for personal gain, or even a content staff member who lacks cybersecurity training.”
Consider these two statistics: ninety (90) percent of organizations are vulnerable to an insider attack; and damages from an insider attack costs organizations from $100,000 to $500,000 per incident.
Prevention starts with awareness. Following are some key considerations from Rob Sobers, senior director at cybersecurity firm Varonis, for reducing your risk of an insider threat:
Types of Insiders
- Privileged IT users
- Disgruntled former employees
- Business partners
- Managerial employees with admin capabilities
- Non-managerial employees
- Outside consultants
- Third-party vendors
Types of Insider Threats
- Careless – accidentally exposes sensitive data through negligence or a misunderstanding of cybersecurity best practices.
- Compromised – inadvertently becomes compromised by an outsider through methods like social engineering, spear-phishing and malware.
- Malicious – intentionally steals sensitive data or compromises systems, often for personal gain or professional advantage
Insider Threat Motivations
- Financial gain
- Personal gain
- Business advantage
- Professional revenge
- Professional sabotage
- Employee discontent
- No motivation, carelessness
Insider Threat Methods
- Social engineering
- Physical theft
- Electronic theft
- Unintentional systems damage
- Unintentional data leaks
- Stolen credentials
High-Profile Breaches Caused by Insiders
- Target: compromised insider / stolen credentials / 40 million debit and credit card records stolen / $105 million in damages
- Boeing: malicious insider / physical and electronic theft / $2 billion in sensitive data stolen
- Sony Pictures: compromised insider / social engineering, phishing emails / 100 terabytes of data stolen / $35 million in damages
- National Security Agency: malicious insider / electronic theft / up to 1.7 million classified documents stolen
Sources: MultiBrief; US Department of Homeland Security; 2018 Insider Threat Report; Digital Guardian; MetaCompliance; IT Pro Portal / IT Governance / Wired
If you practice in Wisconsin, Texas, Minnesota, Ohio, Illinois, Indiana or Michigan, you can stay on top of ethics and risk management news by being a member of Alta Pro Lawyers RPG. You’ll get access to free webinars, the Pro Practice Playbook, Reminger ProLink, Ask the Risk Pro and more. Here’s how to join.