Businesses and organizations possess more data about their customers than ever before. Between online account information, payment card details, and insights about activity and preferences, there is a worry among consumers about what “privacy” means in an increasingly connected online world. Over the past decade, the data breach has become one of the top concerns for small businesses and major corporations alike, and for good reason: hackers have been able to steal vast amounts of data from entities as diverse as Target, Yahoo, Marriott, and the United States Office of Personnel Management.
Not all these threats are coming from outside the walls. In multiple recent scenarios, insider threats have represented a significant risk to organizations and their data. In this landscape, employers need to be more vigilant about not just who they hire but also who they continue to employ. Thorough background checks at the time of hire are no longer enough. Robust security controls, employee oversight, and ongoing background checks are now essentials as well.
Each year, Verizon commissions a Data Breach Investigations Report that reviews and collects insights from that year’s cybersecurity incidents. In 2019, the report found that more than one-third of all 2019 data breaches (34 percent) occurred because of “insider threat actors.”
There have been examples of insider breaches at numerous major companies in recent years. In 2019, a federal indictment in the United States alleged that three former Twitter employees had breached the company’s databases to spy for Saudi Arabia’s royal family. The indictment, which names two Saudi citizens and one American citizen, says that the individuals accessed personal information from dissident Saudi Twitter accounts as a means of determining the identities of the account owners. Some analysts have argued that the case underlines how tech companies with huge databases of user information are now targets for intelligence agencies in the same way that government entities have always been.
Also in 2019, Antivirus software company Trend Micro announced that a rogue employee had sold data for 68,000 customers to a malicious third party. Even more damaging, a former Amazon Web Services (AWS) employee utilized her experience with the platform to steal customer data from a Capital One AWS storage space. The breach affected 106 million customers.
How can companies fight back against these threats? In the cybersecurity industry, the recommendation is to implement a policy called “zero trust.” Organizations repeatedly verify that users or devices that are accessing the networking or requesting information have the right to be there. Zero trust encourages a higher level of oversight in the devices that employees are using, the software and apps installed on those devices, and the context surrounding data requests.
Another critical protocol is to implement ongoing background checks. While ongoing background checks won’t identify all insider threats—many of the individuals behind these acts may not have been convicted of any crimes in the past—they can provide a way to monitor potential red-flag behavior. At backgroundchecks.com, we offer an ongoing criminal monitoring service to re-screen your employees a monthly.