Insiders could use whistleblowing tools to steal data
Edward Parsons, senior manager in KPMG’s cyber security team, comments on the cyber security risks facing businesses in the wake of software being developed to aid whistleblowers. Increased corporate transparency is an important developing trend but he warns that companies need to be aware that these tools could be used by insiders to steal or leak huge volumes of sensitive data, further complicating the insider threat issue for business. He said:
“The Edward Snowden disclosures highlighted the potential for staff with privileged access rights to abuse those privileges to collate and leak massive volumes of sensitive data. Those motivated to leak data increasingly rely on technology to aid them to cover their trails and or protect their identities. Though more recently, with the development of open source software such as OnionShare and the Guardian’s SecureDrop specifically designed to help whistleblowers leak information and avoid common forms of online surveillance, could pose a risk to businesses. These tools can be readily deployed by insiders to facilitate data leakage as a form of protest or, in the case of OnionShare, for more nefarious purposes, including crime and espionage.
“Transparency and trust in business have never been higher on the corporate agenda and an important part of this is that businesses should ensure they have internal whistleblowing systems that allow staff with genuine issues to have them addressed internally, so they don’t feel the need to leak data externally. If companies don’t offer appropriate whistleblowing systems, staff may be tempted to go elsewhere. We are in an age where misdemeanours are easy to leak and harder to mitigate.
“Businesses also need to be aware of emerging whistleblowing tools and consider how such the development of such capabilities changes their threat landscape. Their technical and administrative controls should be calibrated to the threats they face.”
