Capital One Breach Highlights the Danger of Insider Threats

July 30, 2019

by Josh Higgins

When companies think about cybersecurity threats, they often think of a hacker in some far-off place using sneaky tactics to gain access to their systems. However, Capital One’s announcement Monday of a major data breach highlights another major, yet often overlooked, cyber threat: The insider.

Similar to other cyber incidents, the newly announced Capital One breach affected a massive number of people’s confidential data – over 100 million Americans and an additional six million Canadians. However, what sets this breach apart from others is the fact that the hack was orchestrated by a tech insider who worked for one of Capital One’s third-party vendors.

The FBI has noted the growing threat of insiders, issuing a recent alert to the private sector warning of this risk:

“The FBI continues to observe U.S. businesses’ reporting significant losses caused by cyber insider threat actors,” the FBI said in its alert.

The FBI stressed that these instances often involved former or disgruntled employees exploiting their privileges to harm companies. Based on three years of cases reviewed by the FBI, the most common threat was from a system administrator or IT contractor – who often hold the “keys to the kingdom” when it comes to access to corporate data.

However, as underscored by the Capital One breach, there are a wide variety of insider threats that companies need to be aware of.

For instance, Verizon’s 2019 Insider Threat Report notes there are careless workers who engage in inappropriate data security behaviors – such as breaking acceptable use policies and finding workarounds to circumvent inconveniences resulting from security policies.

Moreover, feckless third-parties can also pose a cyber threat from the inside, as they can be negligent when it comes to cybersecurity or misuse or maliciously access sensitive corporate data.

The Capital One breach – which was conducted by a malicious third-party insider – underscores the wide-ranging nature of the threat and large impact insiders can have. Because of the breadth and impact of these kinds of threats, it’s important that discussions on insiders be a key component of the cybersecurity risk-management discussion.

The National Association of Corporate Directors Cyber-Risk Oversight Handbook for corporate boards of directors encourages boards to ask management about their company’s policy for vetting and monitoring employees for suspect behavior.

One key practice organizations should implement to mitigate the insider threat is to review and consistently monitor who has access to what data — and make sure that no one has more access than is needed to do their job.

Part of this management should include a process for when employees leave the company or are transferred to new positions internally.

Keeping data access as locked down as possible is one component of a comprehensive insider threat risk management regime organizations need to minimize the threat as much as possible.

Of course, while these kinds of mitigations are necessary, it’s important to note that no amount of mitigations will completely eliminate the insider threat.

However, these protections need to be in place to help an organization manage the risk as best they can.

The potential cost from stolen data by malicious insiders is too high for companies to ignore. Companies must do what they can to manage the sneaky threat hiding right under their noses.