• Existing Employees
• Former Employees
• Employees of Third Parties
• see  witiger.com/ecommerce/ThirdPartyRisks.htm 

• Existing Employees - malicious
• who have some grudge against the company and have mailicious intentions in creating a situation adverse to business operations

 
• Existing Employees - accidental
• who, through lack of training, or failure to follow SOPs, make some big mistake that creates a threat to business operations

Accidents

• Existing Employees - accidental

George Said
"Hi Prof, I was doing some work for our MGD415 group project and I stumbled upon an article which I think qualifies for the Internal Risks/Threats. The article talks about how an employee of the Alaskan Department of Revenue accidentally deleting a disk drive containing  information for an account worth $38 billion. I thought this was funny as  the article came up right as I was writing about how our group intends to prevent happenings such as this from happening. Anyway the article talks about the amount of people from different department and organizations had to get together to help fix the problem caused by the employee. Things got more interesting as the backup tapes that they were supposed to be using failed as well. As a result of this mess, the department had to request for additional funding to cover the cost incurred in the recovery efforts as well as the cost for overtime and the hiring of computer consultants. "

Accidents

George added
"After reading the article, I wondered why did the department not check its backup procedures and equipments on a regular basis? This would have reduce the impact of the mess made by the employee. It would also seem ridiculous that an employee could "accidentally" delete such an important information during a routine maintenance work. I would assume that since the information was important, certain measures should have been implemented to prevent such mistakes in the first place."

"Until recently, most information security breaches were initiated by insiders. However a study by the CSI Computer Security Institute and FBI indicates that this trend is rapidly changing. The findings indicate that the number of external attacks is growing because of the increased use of the Internet" Greenstein, 2nd edition - page 215

Greenstein suggests threat by employees is becoming less than external threat

Other people suggest that the economic pressures of competitiveness and globalization are forcing more and more companies to intensify their productivity which means more work out of less people.

People being stressed to do more work means employees in situations where they are less happy about the company and the work environment and more prone to take some action which would be a threat to the companies operations.

2006 July Associated Press reported that a secretary working at Coke's head office in Atlanta "..is accused of helping two men steal trade secrets from her employer and try to sell them to rival PepsiCo Inc."

AP reported  "Stealing trade secrets is not uncommon in a competitive corporate culture where heavy premiums are placed on bringing an innovative new product or technology to market first. Joya Williams is accused of stealing confidential documents and a sample of a new Coke while working as an administrative assistant to the company's global brand director."

• Former Employees - malicious
• who have some grudge against the company (for being laid off or fired maybe) and have mailicious intentions in creating a situation adverse to business operations
• this is particularly troublesome when dealing with situations where a person in an IT dept. left a "digital bomb" behind

 
• Former Employees - economic
• some employees are enticed, (sometimes by their new employers) to use their old company passwords and inside information to acquire confidential information
• the most famous current example is the case of the Air Canada employee who was hired by West Jet and used their old AC userid and password to access AC passenger information for his new West Jet bosses

Gaudin says
"...according to a 2005 survey done by the U.S. Secret Service in conjunction with CERT, more former employees than most might imagine are taking advantage of that opportunity. The survey shows that of the insiders who cause security breaches, 59 percent were former employees or former contractors."

(searches of articles in 2010 and 2015 seem to hover around the percentage of 60-70 percent of breaches caused by insiders)

S.O.P.s
Gaudin mentions
"Sarbanes-Oxley, the [U.S.] federal law focusing on public company accounting reform, calls for the removal of access once an employee has left the company." 

As the global Competitive Environment becomes more intense and as the Economic Environment further encourages companies to cut costs, enterprises are increasingly sourcing simpler functions to 3rd party entities - many of these in developing countries.

The main reason for outsourcing is to cut costs. 
see also witiger.com/ecommerce/ThirdPartyRisksOutsourcing.htm
The main reason why an outsourcing firm can maintain a client is by keeping costs low. Keeping costs low means cutting all corners wherever possible, which can lead to problems for the original client.

An example in the early years of Y2K in Canada involved a bank executive who picked a low priced IT outsourcing firm to dispose of old PCs, and the outsourcing firm fails to wipe the hard drives - thereby allowing people who obtained this used equipment, to access bank customer info.

This raises the possibility that an identity theft situation could be committed against you even if you never bank online - your vulnerability could be through the banks records which end up being released to a 3rd party entity, which in turn has a leak.

- example

Mari-Lem De Guzman,  in COMPUTERWORLD (www.ITworldcanada.com) April 28, 2006

This story discussed how former workers at EDS stole money from account holders of the CSB Canada Savings Bond program. In writing this story, Guzman interviewed Joe Greene, Ottawa-based vice-president of IT security research for IDC Canada. www.idc.ca

Greene said "Corporate IT security is not just about protecting against external attacks like worms and viruses, but it's also about recognizing the potential of internal threats... you can have the best firewalls in the world, but if you let your guard down internally, you're still going to get burned".

• Zac H.
• Eric. H.
• Rameez H.