Insider threats: Overlooked but dangerous
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
November 25, 2024403 views0 comments
Insider threats are one of the most underestimated risks in cybersecurity. While organisations often focus on external attacks, the reality is that the most devastating breaches often come from within. In the Nigerian and African markets, and even globally, insider threats remain a growing concern. These threats can come from careless employees, disgruntled staff, contractors, or even well-meaning individuals who compromise security.
A fintech startup in Lagos recently faced a major data breach after an employee fell for a phishing email. The email seemed to come from a trusted vendor, asking the employee to verify account details through a link. Believing it to be legitimate, the employee provided their login credentials, unknowingly granting cybercriminals access to sensitive customer data. The aftermath was severe, with customer trust eroded and regulatory penalties under the Nigeria Data Protection Regulation. This incident underscores the reality that insider threats often start with simple human error. Organisations need to prioritise regular cybersecurity awareness training, ensuring employees are equipped to recognise and resist phishing and other social engineering tactics.
In another case, a mid-sized retail company in South Africa suffered financial losses after a disgruntled former employee accessed its systems and leaked confidential contracts to competitors. Despite being terminated, the employee’s system access had not been revoked promptly. This negligence cost the company dearly, both in lost revenue and reputation. It is a stark reminder that offboarding processes must include immediate revocation of all access privileges. Organisations must also implement regular access reviews to prevent outdated credentials from becoming a liability.
Contractors and third-party vendors also pose significant insider threats. A telecom company in Kenya hired a contractor to manage customer data but failed to enforce strict data governance measures. The contractor accessed the database and sold personal information, including customer names, phone numbers, and payment histories, to third parties. The fallout included customer complaints, public outcry, and regulatory scrutiny. This scenario highlights the importance of robust third-party management, including clearly defined contracts, access controls, and regular audits.
Not all insider threats stem from malicious intent. In a multinational organisation with African operations, a senior manager unintentionally caused a major data breach by transferring sensitive customer information to a personal device to work from home. The device, lacking encryption, was lost, resulting in a leak that triggered legal and regulatory consequences, particularly in jurisdictions like the EU under GDPR. This incident illustrates how even well-intentioned actions can have dire consequences. Companies must establish and enforce clear policies on data handling, implement encryption tools, and restrict the transfer of sensitive information to personal devices.
Privileged access mismanagement is another recurring theme. In one Nigerian oil and gas company — not to mention any company name — a junior IT staff member exploited administrative privileges to share trade data with competitors. Investigations revealed lax oversight of privileged accounts and poorly defined access controls. This failure points to the critical need for organisations to adopt the principle of least privilege, ensuring that employees only have access to the systems and data necessary for their roles. Regular monitoring and auditing of privileged accounts can prevent such scenarios.
Insider threats demand a proactive and layered approach to cybersecurity. Organisations must establish clear policies, invest in employee training, enforce strict access controls, and monitor activity within their systems. The consequences of failing to address insider threats are often severe, not just in terms of financial losses but also in reputational damage and regulatory penalties. By recognising and addressing these risks, businesses across Nigeria, Africa, and globally can better protect their assets and build trust in an increasingly digital world.
- business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com