Employee Error Accounts for Most Security Breaches

security breachesA recent study by a well-known information security company captures one of the most common information security fallacies: that information security is a technology problem. Most businesses view mitigating information security risks as falling squarely in the purview of their information technology department. However, this study reports that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking.1 While technological measures (e.g., anti-virus software, access controls, firewalls, and intrusion detection systems) are clearly important, their effectiveness pales in comparison to the benefits gained by effective security awareness training.

Just as troubling, another recent study found a 789% increase in e-mail phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.2 Phishing, which is an attempt to obtain confidential information or access by fraudulently posing as a legitimate company seeking information via e-mail, instant message or other electronic communication, specifically preys on employees who have not been trained to recognize the scam. A successful phishing expedition can result in the loss of confidential and financial information, system disruption and consumer litigation exposure. Every industry is impacted and at risk.

The results of these studies should serve as a clarion call to businesses. While we have long known that the human component is the key to improved security,3 it is also one of the most neglected areas in many business’ information security programs. Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.

Awareness training can ensure employees have a solid understanding of employer security practices and policies, as well as the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, uninformed employees are susceptible to mistakes, malware, phishing attacks, and other forms of social engineering. They can do substantial harm to a company’s systems and place its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.

First and foremost, it is critical that training programs have the participation of and include input from all relevant stakeholders at the company, including Human Resources, IT, Information Security, Legal, and Compliance.

Key aspects of any successful training program should also include the following:

  • Train on an ongoing basis. Avoid limiting training to when an employee is first hired or assigned to a new role in the organization

  • Train creatively, not just in a non-interactive classroom setting

  • Look for means to introduce interactivity into the training process

  • Have a means of measuring progress

To be truly effective, a security awareness program must provide “multiple methods of communicating awareness and educating employees as well (for example, posters, letters, memos, web based training, meetings, and promotions).”[1]

Training can be conducted through a number of means:

  • Classroom sessions

  • Webinars

  • Security posters and other materials in common areas

  • Brown bag lunches

  • Helpful hints distributed to employees via e-mail or corporate intranet posts

  • Simulated phishing attacks (e.g., systems that will periodically send phishinge-mail to employees attempting to lure them into clicking on an attachment or a hyperlink and then alerting the employee that they have engaged in an insecure activity)

Additionally, having comprehensive and understandable employee policies is critical to a company’s information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.

Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer’s systems, but also helps in better securing the employee’s own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, the employee will become more vigilant in using home e-mail accounts and thereby protect their own data, photographs, financial accounts, etc.


1https://www.egress.com/news/egress-ico-foi-2016
2http://phishme.com/phishme-q1-2016-malware-review/
3 See, e.g., Common Sense Guide to Mitigating Insider Threats, 4th Edition.http://www.sei.cmu.edu/reports/12tr012.pdf.

Trade Secret Misappropriation: When An Insider Takes Your Trade Secrets With Them

Raymond Law Group LLC‘s Stephen G. Troiano recently had an article, Trade Secret Misappropriation: When An Insider Takes Your Trade Secrets With Them, featured in The National Law Review:

RaymondBannerMED

While companies are often focused on outsider risks such as breach of their systems through a stolen laptop or hacking, often the biggest risk is from insiders themselves. Such problems of access management with existing employees, independent contractors and other persons are as much a threat to proprietary information as threats from outside sources.

In any industry dominated by two main players there will be intense competition for an advantage. Advanced Micro Devices and Nvida dominate the graphics card market. They put out competing models of graphics cards at similar price points. When played by the rules, such competition is beneficial for both the industry and consumers.

AMD has sued four former employees for allegedly taking “sensitive” documents when they left to work for Nvidia. In its complaint, filed in the 1st Circuit District Court of Massachusetts, AMD claims this is “an extraordinary case of trade secret transfer/misappropriation and strategic employee solicitation.” Allegedly, forensically recovered data show that when the AMD employees left in July of 2012 they transferred thousands of files to external hard drives that they then took with them. Advanced Micro Devices, Inc. v. Feldstein et al, No. 4:2013cv40007 (1st Cir. 2013).

On January 14, 2013 the District Court of Massachusetts granted AMD’s ex-parte temporary restraining order finding AMD would suffer immediate and irreparable injury if the Court did not issue the TRO. The TRO required the AMD employees to immediately provide their computers and storage devices for forensic evaluation and to refrain from using or disclosing any AMD confidential information.

The employees did not have a non-compete contract. Instead the complaint is centered on an allegation of misappropriation of trade secrets. While both AMD and Nvidia are extremely competitive in the consumer discrete gpu market involving PC gaming enthusiasts, there are rumors that AMD managed to secure their hardware to be placed in both forthcoming next-generation consoles, Sony PlayStation 4 and Microsoft Xbox 720. AMD’s TRO and ultimate goal of the suit may therefore be to preclude any of their proprietary technology from being used by its former employees to assist Nvidia in the future.

The law does protect companies and individuals such as AMD from having their trade secrets misappropriated. The AMD case has only recently been filed and therefore it is unclear what the response from the employees will be. What is clear is how fast AMD was able to move to deal with such a potential insider threat. Companies need to be aware of who has access to what data and for how long. Therefore, in the event of a breach, whether internal or external, companies can move quickly to isolate and identify the breach and take steps such as litigation to ensure their proprietary information is protected.

© 2013 by Raymond Law Group LLC