A wide-scale data breach caused by insider threats and its subsequent regulatory investigation has resulted in costly consequences for Montefiore Medical Center in New York, including fines totaling almost $4.8 million.
With the origin of the leak traced back to an employee at the organization, this incident should serve as a wake-up call for businesses regarding their data security, and the specific risks posed by insiders.
The Montefiore incident is especially pertinent for companies working within highly regulated sectors such as healthcare and finance, but it’s clear that insider risks threaten companies across all industries.
Here’s what you need to know about the growing threat of insider risks, how to safeguard your business, and what lessons your company can learn from Montefiore’s data breach and the subsequent $4.75 million penalty levied against it.
Insider Threats: A Hidden Danger
The vast majority of organizations operating today take active steps to protect their sensitive data from various digital risks. Most of those efforts are aimed at stopping cybercriminals attempting to penetrate organizations from the outside.
But what about the risks posed by insider threats?
What is an Insider Threat?
As opposed to an external threat, such as a bad actor attempting to breach your systems via malware, phishing, or any other kind of cyber attack, an insider threat is a risk to your business’ data security that originates from within your organization.
In other words, anyone who enjoys a level of trust within your business, who has access to your organization's systems and assets, is a potential source of risk. Insider threat examples could be a senior-level executive, junior product manager, or even the receptionist - anybody who is a part of your business could theoretically become an insider risk.
Threats from insider risk can be placed into two main categories:
- Malicious, meaning that an employee intentionally set out to obtain data for nefarious purposes.
- Far more common, however, are insider threats stemming from ignorance or negligence. This could mean an employee inadvertently creating an opportunity for a breach, for example, by being too lax with permissions and access controls.
Who is an “Insider?”
Let’s break down who counts as an insider at your organization. As mentioned earlier, this category includes current employees at your business.
But it’s important to remember that other insiders may be partners, vendors, suppliers or contractors. That also includes external resources whom you haven’t worked with recently. They may still have access to your company’s systems, meaning that they remain potential insider threats.
It’s also critical to note that the risk of insider threats is continuously growing, thanks to the increasing creation of “third-party insiders,” meaning external collaborators with access to company assets. They are often added on a rolling, ongoing basis, making insider threat detection even more challenging.
According to our State of SaaS Data Security 2024 Report, companies created a staggering 10,000 new third-party insiders annually. On average, companies had 34,000 third-party insiders with access to their business data at the end of 2023, up 44% from 2022.
That’s not to mention the risks created by those third-party insiders sharing data with their own external collaborators (fourth parties.) On average, third-party insiders shared more than 3,000 assets with these fourth parties - and your company likely has no idea about this practice.
Why was Montefiore Medical Center Fined $4.75 Million?
Federal regulators recently levied a whopping $4.75 million penalty against Montefiore Medical Center for “data security failures.” In 2013, an employee of the medical center obtained the personal data of more than 12,000 patients.
Using Montefiore’s electronic medical record system, the employee downloaded the names, addresses, Social Security Numbers, and health insurance information of the patients, then sold that data for profit to an identity theft ring.
This triggered a federal investigation by the U.S. Department of Health and Human Services (HHS), which eventually discovered the origin of the breach.
Despite the fact that the breach, which violated HIPAA laws aimed at protecting patients’ medical information, was carried out by an employee with malicious intent, Montefiore was still found legally and fiscally responsible for the data leak.
The Montefiore incident is a prescient example of how insider threats, not just cyberattacks from criminals outside of your organization, can pose a major risk to your business.
Irreparable reputational damage, legal issues, and multimillion dollar penalties are just some of the potential outcomes that come along with insider threats that aren’t properly mitigated.
Could This Happen to Your Company?
In today’s digital landscape, most companies use SaaS systems in their daily workflows. While these cloud-based solutions streamline collaboration and make sharing information easier than ever, there are a number of risks associated with SaaS, including:
Your Insiders Publicly Sharing Company Assets
Whether due to convenience or a lack of understanding around the gravity of making specific assets viewable to all, it’s common practice for employees to set documents, slideshows, and other resources to “public.”
This means that anyone with a link to the asset can view it, which is inherently problematic when it comes to resources that contain business-critical data and private information.
Our State of SaaS Data Security 2024 Report found that, on average, companies had 178,000 Google Drive assets with public sharing, an increase of 25% since January 2023.
Companies also were discovered to have 7,600 Microsoft OneDrive publicly viewable assets, an almost 100% increase from the previous year.
Insiders sharing assets to personal email accounts
Startlingly, we also found that every single organization in our survey had at least one employee who shared company SaaS assets using their personal email account.
We discovered that 5% of all SaaS assets are shared via a personal email account.
In 2023, the average company had 1 out of every 6 employees regularly sharing data with their personal email account, and a total of 1.3 million assets shared via personal accounts.
The Speed of SaaS: Are You Prepared?
Another critical factor is that SaaS enables the exchange of information at lightning speed.
While this is great when it comes to teams collaborating and coordinating, it poses a huge challenge when sensitive data is exposed.
Once data is shared, it can be very easily copied and passed on - even if access to the original asset is retroactively restricted. All it takes is a few clicks, and business-critical data and private client information can be duplicated and visible to anyone willing to pay.
It’s clear that considering the speed at which information travels within SaaS solutions, businesses need to detect data exposures and work to remediate them as quickly as possible.
Preventing Insider Threat Data Breaches at Your Company
In order to create an insider threat strategy that works for your company, you should take user and business context into account when evaluating risk. Break down the definitions of normal behavior and the degree of access needed by department, HR status, device risk, and more.
You should continuously monitor data, like messages or files, shared over SaaS platforms, to identify insider slip-ups as soon as they happen - and ideally, even before the message or the file is sent!
Automatically implement remediation processes, such as blocking shares, triggering warnings or asking for user confirmation where assets with business-critical data are concerned.
However, it’s next to impossible to stay on top of all these processes manually to prevent a data breach in 2024. You need an automated SaaS security solution that provides real-time mitigation protocols and detection of emerging exposures, along with swift notifications that empower you to act fast.
DoControl’s comprehensive SaaS security platform ensures that your sensitive data is safe from the growing risk of insider threats. Our solution provides you with complete visibility into all layers of your SaaS application data, including all potential data exposures.
Talk to us today to learn more about how our SaaS security solution can protect your business from insider threats and ensure that you remain in control of your most sensitive data.