- Over the past week Amazon has struggled to address an incident in which employees disclosed customers’ data to a third party. Twitter’s big hack was also attributable to an employee’s lapse in security, and Shopify had its own incident, too.
- The incident shows how ‘insider threats’ are a growing challenge for companies in the areas of security, IT, legal, human resources, and PR.
- Forrester says remote work provides “ideal conditions” for remote threats, which will be behind one-third of 2021’s cybersecurity incidents.
- Insider threats can be well-meaning, says Microsoft, which has built-in tools that alert IT teams to unusual employee behavior.
- Visit Business Insider’s homepage for more stories.
Amazon found itself entangled in a thorny incident this week in which the company struggled to publicly respond to employees leaking customer email addresses to a third party that sought the data.
Like last summer’s high-profile Twitter hack, which commandeered some of the world’s biggest accounts to spout a cryptocurrency scam, the Amazon episode hinged on one significant factor: the involvement of employees.
Many companies have grappled with cybersecurity issues involving employees, which are broadly described as “insider threats.” Last month two Shopify employees tried to steal transaction records from merchants and may have exposed customer data, the online payment platform said.
Insider threats have spiked during the COVID-19 pandemic, challenging not only companies’ cybersecurity teams, but also their legal, human resources, and communications staffs, coming as remote work creates what analyst firm Forrester calls “ideal conditions for insider threats.” In fact, Forrester says will be the cause of one-third of all security incidents in 2021.
Complicating matters further, insider threats comprise a wide range of incidents – from crimes such as corporate espionage and data theft to well-meaning slip-ups such as the use of personal email for work and unauthorized work applications.
Experts say insider threats require patient examination of employees’ intent, or a punitive response can crush morale – yet as the Amazon and Twitter incidents show, the clock is ticking as customers and the public demand decisive action. As external cybersecurity threats grow more complex, challenges from within companies present a second front for cybersecurity to defend.
Insider threats can take many forms
Jeff Pollard, a principal analyst at Forrester, says insider threats can take place in “all kinds of scenarios,” especially in the pandemic-driven remote work era. Those scenarios confront millions of remote workers, he says.
“Your significant other also is now working from home, and you are having conversations out loud that they hear,” Pollard says. “They happen to mention something to one of their colleagues that they overheard you saying, not realizing it was confidential information. That’s an insider threat.”
So is accidentally taking information from your last job into your new work environment via the personal laptop you’ve used in both jobs. So is direct messaging with an employee who reports to you about confidential management issues. So is lending your work laptop to a roommate.
Insider threats aren’t one cybersecurity problem – they are a spectrum of problems, and they are multiplying as employees work from home.
Insider threats take so many different forms that Microsoft classifies them by breadth, sophistication, and intent. “These issues come in a huge variety,” says Talhah Mir, a principal manager in digital security and risk engineering at the software giant. “You have to consider them in context.”
Mir has worked with enterprise customers who discovered their employees looking up their neighbors’ medical records, “for some reason,” he says. He has found employees approving loans for their family members, and colluding with coworkers to start a rival company while downloading classified data.
Mir takes pains to point out that he has also encountered many employees whose motives were laudable. Sometimes employees bring computer programs with them to a new company because they believe they can be more productive using their favorite tools. But that web app or spreadsheet is not the new company’s property, and could cause legal or even technical issues.
Amazon incident is ‘particularly concerning’
Amazon’s particular incident involves an employee leak of customer email addresses. “Your email address was disclosed by an Amazon employee to a third party,” the company told some users in emails, adding that “no other information related to your account was shared.” But in other emails the company said phone numbers may also have been leaked, which the company now says was a mistake caused by using an email template.
That wasn’t Amazon’s only stumble. The company said in some emails that one employee was involved, but in a statement that “individuals” – plural – “responsible for this incident have been fired.” Amazon explained that it was telling individual customers that one employee leaked their specific information, rather than speaking about the overall incident.
Amazon said in a statement that “We have referred the bad actors to law enforcement and are supporting their criminal prosecution.” The company said it has computer systems in place to limit and control access to information, and processes in place for identifying and investigating suspicious behavior. Those systems, the company said, acted as designed and notified the company of suspicious behavior.
But Amazon’s handling of the incident has been broadly criticized on Twitter and by privacy experts. “Finding out that an Amazon employee has been passing customer emails to a third party is particularly concerning, especially as Amazon appears to have been very vague about the details,” says Jo O’Reilly, a digital privacy expert at ProPrivacy, a company that rates products and companies on their handling of consumer data.
Catching insider threats can be tricky
The nebulous nature of insider threats makes them hard to detect, and harder still to address.
Microsoft has stepped into that gap with a program in the Microsoft 365 suite of business applications which uses machine learning to detect anomalous and potentially risky behavior by employees. The program flags behaviors to a company’s IT team if an employee is downloading data they shouldn’t be, or going online in the middle of the night and accessing sensitive files.
How the IT team responds to that information often falls under the category of human resources.
“HR is a huge aspect of this,” Mir says. He urges companies to assume good faith and practice “digital empathy” – seeking to understand employee behavior before leaping to conclusions. “Otherwise it can have a devastating effect on morale.”
Some cases are more clear-cut, however, and require the long arm of the law rather than HR’s compassion.
Darktrace, a UK cybersecurity firm that uses machine learning to pick up any anomalies in a company’s network, once discovered that a janitor at a US law enforcement agency was trying to access sensitive data after hours. The janitor turned out to be a criminal who got the job so he could steal information about the whereabouts of informants in the witness protection program, says Max Heinemeyer, an analyst from Darktrace.
Heinemeyer says that in his experience “some insider threats are very, very interesting.”