Nearly every week, it seems like hacks dominate the headlines: TalkTalk, Ashley Madison, Anthem
, and the federal government have all been recent targets. Organizations are increasingly engaged in a cyber war with adversaries ranging from organized crime rings to nation-states and online vigilantes. These outsider attacks generate substantial public and private anxiety, and with good reason: the loss of sensitive customer information, disruption of services, and negative headlines can shake the confidence of shareholders, employees, and customers.
But there’s another risk, equally if not more pernicious, that often goes overlooked: insider attacks. Many executives don’t fully appreciate that their biggest risk can come from within. Malicious internal actors can endanger not only a company’s financial and reputational health, but also the physical safety of their staff. Recent events—multi-million dollar employee fraud, high-profile intellectual property theft, and the attacks in San Bernardino— have made it clear that events like the Edward Snowden data leaks or the Washington Navy Yard shootings were not anomalies.
Organizations can and should formally address insider risk through the creation of a program that progresses it from mitigation to prevention. Innovative technology can help organizations proactively screen and detect bad actors before they strike, but implementing these solutions requires commitment from the highest level of leadership in both the public and private sectors.
While organizations have bolstered their cybersecurity plans to protect their most sensitive proprietary information in response to potential external breaches, insider risks haven’t been addressed with the same attention and care. They’re the loss that nobody wants to talk about publicly, and many organizations go to great lengths to conceal the existence and ramifications of inside bad actors. But these risks can be some of the most damaging to an organization: one 2015 Intel Security study found that insiders account for 43% of all data loss.
When employees leave their job for another, for example, they often transfer valuable information to their new employers. A Symantec survey revealed that half of employees admit to taking corporate data when they transfer jobs, and 40% say they plan to use the information at their new organization. Yet 56% don’t realize it’s a crime to use those trade secrets.
This practice can have serious consequences, including the loss of intellectual property or the disclosure of national secrets, whether the perpetrator is successful or not. In just the first week of 2016, a former electrical engineer for Pasadena-based avionics company Rogerson Kratos Avionics was convicted for distributing company trade secrets after his termination for poor performance. Using a false name and a Starbucks Internet connection, the former employee sent stolen trade secrets to other avionics companies, including one outside the United States. He was stopped when the competitors reported the economic espionage, and now faces up to 320 years in federal prison.
We’ve also seen the devastating aftermath of insider leaks in the public sector. Activist employees—like Chelsea Manning or Edward Snowden—have disclosed data and information that potentially threatened the safety of our armed forces and public security. In both instances, there were warning signs that these employees would go rogue— yet they went unmonitored and undetected.
Employee fraud is another malignant problem that hits companies’ financial health more directly. The Association of Certified Fraud Examiners’ 2014 survey estimated that companies lose a median of 5% of revenues annually due to fraud—translating globally to a $3.7 trillion economic loss. This criminal activity can seriously impact a business’ revenue and reputation. For example, this past March, an ex-lawyer was convicted of stealing more than $9 million from his employer, Memorial Hermann Healthcare System, in a billing scheme. He had been convicted in the past of felony theft and misappropriation of client funds and disbarred. Given his past, his employer should have been tipped off sooner to his activities.
In the worst-case scenarios, these insider risks can turn into insider threats and result in workplace violence — which, as events in the past year have demonstrated, has become more commonplace. Shootings accounted for 78% of all workplace homicides – a total of 405 fatal injuries – in 2010, according to the most recent available data from the Bureau of Labor Statistics. We’ve seen far too many examples of such violence on the part of malicious employees or disgruntled former employees: the on-camera shooting of two journalists in Virginia, as well as the Washington Navy Yard and Ft. Hood shootings. And while many factors play into the rise of these shocking and horrific tragedies, organizations must start to think about how to prevent them in order to protect their most valuable assets—their people.
When we walk into our office buildings every morning, we expect to be safe. That safety can come in many different forms—the security of knowing that we work at a financially sound organization, and the safety of being free from harassment and workplace violence. Leaders of organizations must develop proactive plans to monitor, detect, and prevent bad actors within their organization before they strike. It’s been proven time and time again that the consequences can be catastrophic if these risks are ignored. Don’t become the next headline.
Scott Weber is a managing director at Stroz Friedberg, an investigation, intelligence and risk management firm.