To quote President-Elect Trump‘s treatise on the huge challenges of cyber security, “I have a son—he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe, it’s hardly doable. But I will say, we are not doing the job we should be doing.”
Although Trump’s grasp of “the cyber” may be tenuous, he is correct that the security aspect is very, very tough.
So, although we may not always heed the talk and tweets of billionaire business moguls who find the term cyber security to be a challenge both in practice and in its existence as a single, distinct meaningful element of speech, businesses would be poorly served to disregard technological threats.
The business costs of security failures are staggering, and only increasing. Per the Ponemon Institute’s 2015 Cost of Data Breach Study: United States, a data breach’s total average organisational cost is a benchmark $6.53 million, or about $217 per compromised record. Further, the losses stemming from hidden costs like lost customer goodwill, decreased acquisition of new clients and increasing insurance premiums are immeasurable.
So, what should businesses and organisations be aware of when assessing technological vulnerabilities? Well, before worrying about the security threat presented by secret government backdoors, zombie botnet armies, Russia, or “somebody sitting on their bed that weighs 400 pounds,” they should engage in some self-examination. According to the 2016 Cyber Security Intelligence Index, 60% of all attacks were implemented by organisational insiders.
Of these breaches, approximately 75% involved malicious intent, with the remaining attributed to “inadvertent actors.” Consequently, whether carried out with or without malice, the greatest technological threat to an organisation lies within its walls, and specifically with its own workforce.
Human error comes in many forms: emails sent to the wrong recipients, stolen devices, confidential data sent to or stored on insecure home systems. Regardless, human error is a leading cause of security breaches. Actors within the company with the most risk are generally well-meaning IT admins, whose complete access to company infrastructure can turn catastrophic.
This past August, UK software company Sage reported that personal information and banking details for employees of about 300 of its client companies had been breached via the use of an internal log-in. And, although it is not uncommon for computer systems to be compromised by a company’s own employees, breaches of this nature may be secondary to external hacks. After all, incidents involving credential leaks are increasingly common, and people often use the same username and password combinations throughout a variety of websites and systems. Therefore, a well-intentioned employee using the same credentials to log into their personal email and the company portal creates vulnerability.
Cyber criminals are well versed in means and methods of assuming identities. As mentioned above, employee systems may be compromised via stolen credentials, malware or phishing. However, phishing is becoming a preferred means of attack due to the treasure trove of information available via Social media, such as LinkedIn and Facebook, making target phishing emails especially easy to craft. Regardless, once an employee account is infiltrated, it may be used as a means to increase access to sensitive information.
The hackers may review emails, conversations and even send messages using the stolen identity, and in so doing exponentially expand their threat.
Insider threats to company cyber security are insidious. Their access and activities occur within trusted systems and by trusted employees. Consequently, they fly below the radar of many detection strategies and technologies. In the case of malicious actors, evidence the bad acts may be erased shortly after to further complicate investigation. Therefore, the best defence is a proactive one. Things to consider include:
- Implement data security awareness and training.
- Implement simulated phishing attacks to identify susceptibility.
- Implement full encryption of devices and portable storage.
- Implement and maintaining policies and procedures based on the least-privilege principle.
Once again quoting President Trump, “We have so many things that we have to do better, and certainly, cyber is one of them.”