Did you know that in 2020, 60% of data breaches were from insiders? This is an increase of 47% since 2018 (Source: ID Watchdog), meaning your employees and staff are likely the culprits of data breaches. Fortinet revealed in a survey that fraud (55%), monetary gains (49%), and intellectual property theft (44%) are the underlying reasons behind insider threats and that the most vulnerable departments were Finance (41%), Customer Access (35%), and Research and Development (33%). (Source: Fortinet)
Recently, the Illinois Lake County Health Department revealed that it was impacted by two separate data breaches that could have impacted the electronic protected health information (ePHI) of approximately 25,000 patients. (Source: Compliance Junction) The initial breach took place when a Lake County Health staff member broadcasted an unencrypted email from their staff email account to the personal account of a co-worker during 2019. Included in the email had been a spreadsheet that listed the medical record requests made during the time period from December 2016 to June 2019. An external company has processed the requests that were related to Lake County Health Department release of information requests. The spreadsheet listed the identity of 24,241 patients along with details of appointments with the vendor.
Here are the types of insider threats you should look out for:
Malicious Insiders: Employees or close associates who intentionally cause harm to an organization by exposing sensitive business data to external threats or use them for their own personal gain.
Negligent Insiders: These types of employees have no intent to harm an organization, but their actions can cause a security breach. They typically ignore policies, processes, and protocols.
Unintentional Insiders: Employees with no intent to harm an organization who follow organizational rules but fall for phishing schemes or are already infected with a virus or malware, putting the whole organization at risk.
Inside Agents: Employees who are working in partnership with an external attacker that is trying to gain access to the organization. They either steal the data or help infect systems.
At A_IT, we offer a fully managed security awareness training program based on industry best practices with a variety of relevant content, including interactive modules and videos. We take care of setup and support to reduce management and stress. Training modules are short and distributed at regular cadences, improving knowledge retention and behavior for our partners.