Who’s to Blame for All These Breaches?


A provocative story at Data Breach Today suggests that companies may be blaming nation states for big breaches, instead of assessing their own security oversights—because the PR fallout is less damning. The piece cites a statement from Yahoo’s CISO who attributed its 2014 breach, which came to light just last week, to account information lifted by “a state-sponsored actor.” (There is currently no evidence to suggest otherwise.)

Looking at insiders, Data Breach Today’s Mathew Schwartz argues, “means that their organization would have failed to heed related warning signs, as in the case of the National Security Agency and Edward Snowden.” As such, he suggests, that the Russians and Chinese are becoming scapegoats.

A month back, we wrote about the increased awareness in the distinction between an insider threat and an inside threat, to better outline how much illicit activity actually originates from within the enterprise. An insider attack frequently refers to the actions of a malicious employee. But an inside threat includes the above as well as (inadvertent) employee-enabled infiltration through, say, malware attacks—essentially, any threat that aims to compromise an enterprise security from the inside out. The latter has emphasized a pressing need for both east-west and insider-threat visibility, using entity-based security platforms that analyze employee behaviors in comparison to their own typical behavior as well as that of their peers.

The growth and severity of inside threats, however, is indisputable. The Harvard Business Reviewrecently entreated companies to pay significant more attention to what’s essentially transpiring in plain sight. That story cites the 2016 Cyber Security Intelligence Index, which found that “60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.”

The reality is that no matter the size or the scope of a breach, it’s often caused by an action, or failure, of someone inside the company. Holes in security, especially in the face of lawsuits and fines, are shortcomings no enterprise wants to divulge. And yet those squeamish conversations could be avoided altogether by simply, proactively confronting inside threats.