After a succession of high-profile data leaks at financial companies, businesses are starting to look inwards to identify potential whistleblowers and saboteurs
Rarely does a week go past without news of an eyebrow-raising data breach. In February, hackers broke into the central bank of Bangladesh and stole £55m. In April it was the turn of a Qatari bank, QNB, to play the fall guy. Activists broke in, downloaded 15,460 customer files – including passwords and PINs – and leaked the lot to whistleblower site Cryptome.
These were, it seems, not inside jobs, but successive scandals — Swiss Leaks, LuxLeaks, WikiLeaks and the Panama Papers — have shown that the malicious insider poses as much a threat as the malevolent outsider.
According to a 2015 report by US firm Verizon, half of all security ‘events’ – classed as anything that compromises internal corporate security – are caused by employees. Three-fifths of those people are typically incompetent rather than spiteful, whether that means sending sensitive data to the wrong person, or disposing poorly of personal financial or medical data. IBM reckons that 95 per cent of all cyber incidents can be attributed to human error.
If you are doing nothing wrong, you’ve got little to worry about. But if you are up to no good, be wary.
“Corporations have spent the last few decades mostly preventing outsiders getting in, and that has become a multi-billion-dollar industry,” says Scott Weber, a specialist in advanced psycholinguistic algorithms at risk management firm Stroz Friedberg. More recently, he notes, the focus has switched, to dealing with the rising threat of the spiteful, money-grabbing or plain daft insider.
This requires a major shift in the mindset of corporates and governmental institutions of all shapes and sizes. In a world where technology allows outsiders and insiders to convey vast amounts of data from here to there at the click of a mouse, nothing is safe.
The Panama Papers — when a whistleblower sent 11.5m client documents from Panamanian law firm Mossack Fonseca to a journalist in Bavaria — was widely believed to be an inside job.
It revealed the lengths to which shady tycoons and oligarchs would go to camouflage their wealth. But many others ‘outed’ in the papers were normal commercial entities - corporates, charitable investors – that happened to park assets in an offshore tax haven with an admittedly shady reputation.
There is, as Dan Nardello, founder of Nardello & Co, a global investigations firm, points out, “nothing untoward or illegal per se in running an operation in Panama. We are just about to open an office here and it is a terrific place. A lot of Latin America arbitration takes place here.”
The deeper problem is perception. If you are doing nothing wrong, you’ve got little to worry about. But if you are up to no good, be wary. “In a digital age, there is no innate security in having an offshore entity,” adds Nardello, a former US federal prosecutor. “We’re entering a digital world where it’s going to become harder to keep a secret. With so much data held online, firms are ever more vulnerable to internal leaks. It’s a function of the reality in which we live.”
At Stroz Friedberg, Weber’s advice for larger firms is to pool their resources. “Corporates need their human resources, legal, information security, security and investigations and compliance departments all working together,” he says. “They might wonder why, say, Bob is downloading all that data at 4am, or why Sue is accessing all those banned websites. We use behaviour analytics to help firms determine if an employee is a potential risk.”
That means instilling a sense of basic security in employees — making their internal passwords harder to hack — or recognising that a data breach, wherever and however it happens, is a threat to everyone: employer, employee, share price, shareholder.
A study of 2,000 cases of insider leaks by Stroz Friedberg found that in every instance, the culprit was viewed with mistrust in at least one corner of the company, but that no one had ever stopped to look at the full picture.
“They set off alarm bells,” Weber says, “but for a variety of reasons – hectic schedules, employees not wanting to rat out one another – they weren’t brought to light.”