Data Breach Threats Lurk Within

Steve Doston, CISO & VP, First Advantage

Almost every day, the media has a report of a cybersecurity breach. Target, Home Depot, Sony Pictures, Internal Revenue Service, the U.S. Government, big banks, hotels, and supermarkets have all been victims of cyber attacks. Recently a major league baseball team was accused of hacking a rival team's data in a case of corporate espionage.

Billions of dollars are lost, reputations are damaged, and business is left disrupted in the wake of data breaches. And while the big names make the news, small businesses are proving to be equally vulnerable. A survey of 675 small businesses by the National Small Business Association found that half of them have been victims of information theft in 2014.

The war against electronic data theft is being fought on two fronts, although one front makes more headlines than the other. External threats generate a lot of attention and rightly so. Online hacking rings and foreign governments are constantly scouring targets, sometimes making off with millions of records – credit card information, health records, employee data, and other personal information. However, the ongoing battle which is overlooked deals with intrusion from within the inside of organizations.

A 2014 report from the Ponemon Institute, a research center dedicated to privacy and data protection, claims that 15 percent of the time, a trusted insider with malicious intent was the root cause of a data breach. A 2012 report from the Software Engineering Institute on Mitigating Insider Threats puts that figure even higher, stating that 21 percent of cybercrimes were committed by insiders.

Workforce Screening for Better Data Protection

The Computer Emergency Response Team (CERT) Program from Carnegie Mellon University's Software Engineering Institute recommends using the hiring process as a starting point for mitigating insider threats. Measures such as background screening can help employers make trust-based hiring decisions. In fact, First Advantage conducted a survey of 337 professionals including human resources, risk management, and C-suite executives about their attitudes toward internal and external security threats. Sixty percent of respondents said background screening of new employees is the most important security control that can be put in place to protect organizations from data breaches. Anti-malware ranked second (53 percent), followed by physical security and physical access controls (39 percent).

Human Resources and Security

Organizations need to determine where their information assets are, what value they have and who has access to them. Human resources and information security professionals within the organization should develop a policy framework about what factors are appropriate for background screening for specific positions. If an employee has access to credit card information or other personal identifiable information, a background check might include a national and county level criminal history in all areas a candidate has lived or worked. It may also include a check on financial information such as credit history or bankruptcy filing. Screening may even involve a check of terrorist watch lists.

Many employers think that background screening ends when the new hire comes onboard. Unfortunately that can be a shortsighted and risky approach. Life happens and circumstances change. Young people are less likely to have a criminal record or bad credit initially, but could incur debt over time that needs to be serviced, potentially increasing their risk to the organization. People also change positions and have access to different levels and types of data. Companies should have a solid standards-based policy framework that includes continuous monitoring and updating of background information through a periodic rescreening process. Fortunately, technology now allows for groups of employees to be rescreened all at once for a fraction of the cost of the original background check.

Preventing Breaches through Vendors

Company supply chains and third-party business partners are other vulnerable points for attack. The massive Target data breach was traced to a third-party heating, ventilating and air conditioning partner that was hacked. It is wise to make inquiries about whether contractors, suppliers, and staffing firms have robust policies in place regarding background screening in addition to technology-based solutions to protect against deliberate or inadvertent data breaches.

The information age has changed the way we do business, but it has also created new risks that can lead to catastrophic losses. To ensure the greatest possible protection of valuable company information, organizations would be well advised to think about both internal and external threats, maintaining a thorough employee screening program along with tight IT security measures.