Why Your Employees Are the Biggest Internal Security Risk
When a company’s cybersecurity is breached, most people assume – no matter where the business is located – that the hack was the work of an individual or group of nefarious people on the other side of the world. Somehow, it doesn’t seem like as much of a failure if the finger of blame can be pointed at an unaffiliated, anonymous hacker. But what most people don’t realize is that many cyber attacks are a direct result of the companies’ own employees’ actions. Ouch.
Numbers Don’t Lie
As recently as 2016, a report by IBM revealed that insiders carried out damaging cyber attacks in a full 60 percent of cases. While 25 percent of these incidents were of the inadvertent variety, three-quarters were driven by malicious intent. Though businesses vary greatly in the types and amounts of data at risk, the factor they have in common is the people working inside the facility or from home with access to the company’s network. When seeking commonalities, there are a handful of places where insider risks arise.
To Err is Human and Can be Costly
To grasp just how horrible a mistake a human computer operator can make, we need to look no further than the employee working at the Hawaii Emergency Management Agency back in January 2018 who mistakenly sent out a real alert of an incoming missile rather than the test message. The error was simple but catastrophic, nothing more than a mistake in a selection from the drop-down menu on his computer. For an agonizing 38-minutes, the island’s citizens believed they had only minutes to live.
The above example of human error should remind us exactly how easy it is for a trusted and dedicated employee to make a quick mistake on the company network, creating a bonafide disaster. Maybe it’s a telecommuter who accidentally accesses confidential data from an insecure home system, or an overworked IT administrator making a simple mistake that compromises an entire network’s infrastructure. Perhaps it is an employee who falls for the latest spear phishing scam.
A Few Malcontents Can Do Big Damage
Consider this: a single employee with the right security level could scoop up every password insight and sell it to the highest bidder on the Dark Web. Just like that, any old guy or gal with a few bucks in their pocket could have access to competitive information, trade secrets, customer data, and more. The question becomes how well do you know your employees? Is there anyone on staff who might compromise security as a profitable side business or who just harbors a grudge against the company? In either case, management has a big problem.
The Hacker as Puppet Master
One of the first things you learn in hacking school is how to compromise and exploit someone’s identity. Call it hijacking if you like. Whether access to a mark’s account is gained through malware or simple phishing, once inside, a determined hacker can leverage those stolen credentials into a host of dastardly activities. And in case you didn’t realize it, these people are aces at matching up employee information to information on freely available social media platforms. Think of it as falling dominoes. Once inside a corporate network and posing as an employee online, a skilled hacker can successively increase user permissions, gaining access to even more sensitive data as they go. By the time management figures out Bob from accounting is into the network way over his pay grade, it’s too late. The information (and the hacker) are gone without a trace.
The problem for too many business entities is that they are hyper-tuned to outside threats, so much so they miss signs of insider malfeasance right under their noses. Because of this faulty way of thinking, anything from inside the company is considered safe until it’s too late. Once victimized by an inside breach, the IT security chief’s first inclination might be to lock down the whole network and implement a “trust no one” policy, which can do more harm than good when considering lost productivity, stifled innovation, and a frustrated workforce. How do you find the happy medium?
Pay attention to the important stuff: Not all information on the network is worth protecting as if it were Fort Knox gold. For example, the men’s room cleaning schedule? Probably not worth going to the ends of the earth to conceal. The goal is to identify the most valuable systems/data and put it behind the safest VPN providers and strictest security measures.
The intersection of Big Data and AI: Humans have more habits ingrained into their daily activities than they ever realize. The way they interact with technology and deviations from the usual patterns by an individual employee can be spotted through the use of analytics and artificial intelligence. The good news is the use of advanced analysis can analyze terabytes of data in minutes, quickly uncovering “invisible” habits and potential criminal activity. Scary? Maybe. Effective? Yes.
Last but Not Least…
We’ve already talked about identifying critical data. It is also important to identify and know the people with access to that data. It should be obvious these are the ones who hold the potential to do the most damage. While at some level you eventually have to trust them, don’t do so blindly. Screen, check and monitor like your life depends on it.
