By Todd Avery, Manager of Information Security at Abacus Group
Throughout the year, we send members of our dedicated security information team to industry conferences, so they can continuously gain insights into the latest threats and best practices in cybersecurity. Most recently, several members of our team attended the 2019 Cyber Security Summit in Dallas, Texas. Hosted in different cities each year, the purpose of this particular event is to bring together cybersecurity professionals to discuss the newest technologies and trends taking place in the cybersecurity world.
This year’s summit focused around insider threats, and kicked off with a briefing from Sheraun Howard, a Special Agent with the FBI’s Cyber Task Force. He provided a brief about the increase of insider threats in different industries, with a focus on health care, banking and financial services. He stated that in the last five years, insider threats have gone up about 20%. These crimes consist mostly of stealing personally identifiable information (PII) within the health care industry, and client information within the financial sector – and then selling this information on the DarkNet.
During the Q&A portion of his presentation, there was a lot of discussion around the access employees have to PII data within their environments. A key take-away from this discussion was the need to create a more robust insider threat program and more controls over PII.
During the conference, there were several breakout sessions that continued the conversations concerning insider threats. Some important facts that were shared and discussed included how 86% of organizations are in the process of developing policies and processes to specifically defend against and prevent insider threats. Whether expected or unexpected, an employee with access to a company-wide system is a great threat to any organization. While some employees can be malicious, based upon a survey by IBM, 95% of all breaches actually involve employees making mistakes.
Companies need to be cautious to make sure there is a balance between employee trust and protecting the information of clients and employees. There are several ways to achieve balance – it all starts at with executive-level leaders implementing policies and procedures to protect sensitive data, and ends with employees being responsible with proper handling of data.