Brian Jackson - Fotolia
Ofcom data breach highlights insider threat
That a former employee of communications regulator Ofcom stole data should act as a warning about the insider threat in every organisation, say experts
UK communications regulator Ofcom has revealed that a former employee offered stolen – commercially sensitive – information to his new employer, highlighting the insider threat.
The man’s new employer, a major broadcaster, declined the offer and alerted Ofcom that its former employee had downloaded up to six years’ worth of data while still at the regulator, according to the Guardian.
The data had been provided by TV broadcasters to Ofcom and could have been used by rivals to gain a competitive edge.
Ofcom has alerted all the TV companies that were affected by the breach – the biggest known breach in the regulator’s history.
“This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom,” the regulator said in a statement.
“Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner,” the regulator said, adding that the extent of the disclosure had been “limited” and “contained”.
Secuity industry commentators say the breach underlines the need for organisations to take seriously the threat of insiders wittingly or unwittingly leaking commercially sensitive data.
“Spotting cyber security incidents that arise from within a company can be particularly tricky, as the perpetrator may have legitimate access to sensitive data,” said Luke Brown, vice-president and general manager for Europe at security firm Digital Guardian.
“This breach shows that regardless of any defensive perimeter security, without taking steps to secure the data itself organisations can still fall victim of a significant data breach.”
Read more about the insider threat
- This survey of 500 cyber security professionals offers insight into the state of insider threats and solutions to prevent them.
- University of Greenwich data breach highlights the dangers of insider threats.
- Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked data security threats.
- This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.
Measures to contain misuse
According to Brown, one answer is data-aware security technology which, in the case of Ofcom, could have prevented – or, at the very least, recorded – the employee downloading and copying sensitive data without approval or permission.
“This news should act as a warning to other businesses that they must start taking the problem of the ‘insider threat’ seriously,” he said.
Christine Andrews, managing director of governance, risk and compliance firm DQM GRC, said this type of data leakage is an extremely common and serious threat to businesses.
Andrews said research has shown that a quarter of employees would sell private company data and risk both their job and a criminal conviction for just £5,000.
“High-profile, targeted attacks – such as TalkTalk and Sony Pictures – generate fear in businesses from external hacking attempts; but, in this day and age, businesses need to be wary of both those on the inside as well as on the outside,” she said.
Data watermarking
However, Andrews said there are ways companies can keep an eye on their confidential information – even when it has left the building.
Data watermarking allows you to add unique tracking records, known as seeds, into your database. These monitor how your data is used outside your organisation's direct control.
“The service works for e-mail, physical mail, landline and mobile telephone calls and is designed to build you a detailed picture of the real use of your data,” she said.
Recent research by both government and private industry has highlighted the main weaknesses that make organisations vulnerable to insider attacks.
These include: poor management practices, poor use of auditing functions, a lack of protective security controls, a lack of role-based security risk assessments, inadequate corporate governance and a poor security culture.
There are five key areas that organisations need to address to reduce the risk insider threats, according to Peter Wood, chief executive of security firm First Base Technologies.
These are: staff vetting, education, protective controls, detective controls and security testing.
