Institutional data like student, employee, or patient records are vital to University of Iowa missions. They’re also tempting targets for crooks who use data to steal identities, demand ransoms, or accomplish other malicious ends.
Cybercriminals try to access data by hacking vulnerable systems or tricking people through phishing or other social-engineering scams. But they have another insidious weapon in their arsenal—the insider threat.
Insider threats come from employees, contractors, or other trusted individuals who abuse data-access privileges, often to commit fraud, sabotage operations, or gain an unfair advantage.
Insider threats can be as simple as copying data to a portable drive or emailing files to unauthorized users. Breaches like these—especially when they involve restricted or critical data—can be devastating, jeopardizing the university’s mission and reputation.
When to report a threat
You can help protect against insider threats by identifying and reporting suspicious behavior. Here’s what to look out for:
- Someone asking for information they know they’re not authorized to access
- Data-access requests that bypass normal university or departmental procedures
- Attempts to access someone else’s computer or work-related account
- Requests to access data centers, file storage, or other secure areas
Tell your supervisor about these and other behaviors that don’t feel right. Or report your concerns to the Information Security and Policy Office.
How to minimize insider threats
University employees, contractors, and others should only have access to data they need to do their jobs. Data custodians should regularly review data-access permissions and controls, in keeping with the institutional data policy.
Some steps anyone can take to prevent data breaches:
- Store sensitive information in approved locations—locking file cabinets, encrypted drives, etc. Ensure that only authorized individuals have access to these locations.
- Always lock your computer, workstation, or office when you step away, even if you’ll be gone only briefly.
- Never share your password or access credentials with anyone, including your supervisor. If you do, you’re responsible for their actions.
Not everyone who abuses data-access procedures does so to commit a crime. Insider threats can stem from bad intent or simple laziness.
Regardless, they pose a risk to the university and violate the trust of stakeholders. They can be cause for disciplinary action, including termination.
You never know who could pose an insider threat or how a threat might escalate. Keep on the lookout for risks and report any potential cause for concern.