Sage Breach Illustrates Damage Malicious Insiders Can Cause

I’m often asked to provide an example of an insider threat. I think it is because no one likes to believe that someone inside would be so cruel as to purposely do harm to a business, to customers and to fellow employees. Mistakes made by an insider that result in compromised data are certainly bad, but rarely malicious.

But we know that malicious insiders are there, and an incident this week shows how much damage they can cause. It happened to a UK accounting software firm called Sage when an insider logged into an account for which he did not have authorized access. As Reuters reported:

The personal details of the employees of about 280 British companies were potentially exposed in the breach, a company source said. It was working to ascertain whether any data had been stolen, the source added.

As of this writing, I haven’t seen anything that clarified what the insider intended to do, if she was just curious and looking or if there was a more nefarious intent, as it appears that the company has not yet released any of that information. The insider was arrested, incidentally, at Heathrow Airport, giving the story a movie-style plot twist.

However, even without knowing what data may have been compromised or what the insider’s intent was, Sage is already feeling the brunt of the malicious activity. Its stock value has dropped. It will suffer through reputation damage. If information about Sage’s clients was leaked, there will be other penalties.

At the same time, Matthew Ravden, CMO at Balabit, said in an email statement that this insider breach is a good example of how difficult they are to detect. Preventative technologies that most companies use are powerless if the hacker is authorized to use the network. He continued:

Too much faith has been placed in password management systems, which a privileged user just logs into and is given unconstrained access to sensitive data. Organizations must put greater emphasis on monitoring and analyzing these users in real time to detect unusual activities and stop malicious acts from happening.

Insiders can pose a very serious threat to any company, Ravden added, and relying on nothing more than passwords as login credentials – and allowing those single passwords to access any company database – will continue to give malicious inside actors an open door to cause harm to the company and put client and employee sensitive data at risk. But there could be a solution (other than adding another authentication layer). Ryan O’Leary, vice-president of WhiteHat Security, told ComputerWeekly.com:

Data breaches of this kind highlight the importance of careful consideration around access privileges. Sometimes, the easiest way to mitigate an insider threat is to simply audit who has access to critical and sensitive data.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba.