Computer breaches from Russian or Chinese hackers get the headlines, but the reality is you are more likely to be a victim from an insider. It turns out that as much as 60 percent of all attacks were carried out by insiders – either overtly or inadvertently.
The High Cost of Breaches
If it’s your business that falls victim, the cost can be high. Your company’s reputation can be damaged. Your clients or customers might feel less comfortable providing sensitive information. There also may be hefty costs to repair the damage. According to a study done by the Ponemon Institute, the average cost for each stolen record containing confidential or proprietary information is $148. This includes the hard costs to uncover the breach and repair the damage, such as having to send out notices to every record holder. There may also be fines for failing to adequately protect the data in accordance with compliance regulations such as Sarbanes-Oxley, PCI-DSS, HIPAA or GDPR.
How Do They Get Inside?
Sometimes, it’s bad people doing bad things. But, that’s not always the case. 58 percent of healthcare breach attempts involve inside actors, including stolen laptops to gain access credentials, malware installation, and stealing confidential data. These were obvious acts of people with bad intentions. Other times, lax security protocols lead to problems. The biggest breach ever of the U.S. National Security Agency (NSA) computers was an inside job when a 54-year old former contractor took classified documents home without following security procedures. One of the most dangerous parts of inside jobs is that you may not be able to detect the breach. It may be perfectly fine for employees to have access to the information, so no warning bells go off. It’s what they do with the data that’s the issue. If they have malicious intent, they may be able to avoid detection or cover the tracks. However, employees that fail to take security seriously are your biggest risk.
It’s not just disgruntled employees or malicious acts that lead to breaches. In fact, the majority of breaches occur fairly innocently. By clicking on a spoofed email or another phishing attack, your team members may allow malware to be installed. A message saying you need to update your anti-virus software or have an outstanding invoice may lead to giving up login credentials. The Cancer Treatment Centers of America hase been hit twice within the past year. The data of 42,000 patients was exposed when an employee clicked on a phishing email and gave up their login credentials. In another case, personal information and passwords of 145 million eBay users were exposed. Forensic investigators traced the breach back to the credentials of three corporate employees. Cyber criminals had access to the company’s complete network for more than 200 days before it was discovered. That’s not unusual. 80 percent of breaches aren’t discovered for several weeks. The average time it takes to identify a breach is 197 days. That means hackers have access to company servers for more than half a year on average. There are also two growing trends that play a role in your cyber security: BYOD (Bring Your Own Device) and Shadow IT.
Bring Your Own Device
Employees are mixing business and personal devices on the job more than ever. Accessing company information on a personal cell phone may bypass the security measures the company’s IT staff has in place on company-owned devices. Employees that send confidential information to their home computers or logging in from home can expose company data and systems to additional threats. Compounding the problem is the fact that apps downloaded to personal devices can be malicious in nature. As security compliance company, Cimcor, points out, “In some cases, malicious apps have the potential to take control over the user’s mobile device. This can result in surveillance, unexpected data or call charges, or loss of personal or work information. Your users need training on app best practices. This knowledge-based training should include the importance of only downloading content from apps stores. In many cases, malicious mirror or personal apps are downloaded through webpages.” You’ve heard the expression you’re only as strong as your weakest link? Regardless of what security systems and procedures you’ve set up in the workplace, your data and your company’s IT systems may be compromised by something on an employee’s personal phone or computer.
Employees will also bypass security protocols and start using software or apps they feel they need to do their job. While having good intentions, this so-called “Shadow IT” can invade your networks and systems without the proper vetting by security professionals. This lack of Quality Assurance testing before installing can cause exposure that your IT team may not even know about. It’s more prevalent than you might think. Research by the Everest Group found that upwards of 50 percent of the spending in IT doesn’t go through a sanctioned IT process. That number may seem high, but when you include things like cloud-based sales software, departmental-specific applications, or personal devices, you can see how it might add up if your IT leadership isn’t on top of it. This means major chunks of your IT ecosystem may not be protected regardless of the policies you put in place. So how do you organizationally deal with Shadow IT while still maintaining productivity from employee workgroups? This starts with educating employees about the implications of Shadow IT gone wrong and ultimately should lead to an open dialogue between IT and workgroups within the organization. For example, if sales is considering a new automation tool, they should have an open line of communication with IT about how the tool can be implemented into their security structure to ensure company or customer data isn’t at risk. The solution may be to build the tool internally or develop an integration between system to accomplish the same goal without having to use a third-party tool that can create security gaps. As Aubrey Spath, Senior Solutions Architect at Soliant Consulting, states, “In some cases, IT is aware of a specific workgroup’s challenges and is actively trying to find an application to address them.” Spath continues, “Rather than encourage and support them in an endeavor to patch together a shoddy collection of home-grown or slickly-marketed tools built by amateur developers, consider building a custom solution for their needs.”
Practical Steps To Mitigation
As a CEO or top manager, you need to make sure your IT leadership is following cyber-safety and security protocols: Security Governance
- Information security governance to set policies, priorities, and mitigation steps
- Compartmentalizing data so that only the people that need access as part of their job duties actually have access
Meeting Industry-Specific Compliance Regulations
- Assigning responsibilities for oversight
- Ongoing risk/threat assessments
Managing Team Members
- Specific policies for team members for hardware and software
- Training for threat awareness and detection
- Regular compliance audits
Threats get more sophisticated all the time as cyber criminals evolve their techniques. It’s important to make sure your IT leaders are constantly learning and evolving their skills as well.
A Strategic Approach To IT/IS Policy
A strategic approach to IT/IS policy can limit your exposure and help protect your business. You can’t afford to take cyber-security lightly. It’s a case of if you will fall victim, but more likely a case of when. 80 percent of IT business leaders surveyed anticipate experiencing a “critical breach” or cyber attack in the coming year.