When most businesses think cyber crime, they imagine brute force threats from foreign agents or highly advanced hacker teams. Executives tend to think that external forces well beyond their control make up the vast majority of security loopholes.
But often the greater threat is from within.
66% of cyber security professionals surveyed for one report said that their employees are their weakest link in establishing a strong defense plan.
Below are three distinct types of employees who open up an organization to cyber risk to varying degrees.
Honest mistake makers
Many cyber breaches are simply the result of honest user error. This could include losing phones or laptops, downloading sensitive data to an unsecure device, falling for a phishing attack, inadvertently downloading malicious software, or misplacing physical files.
Social media app Snapchat learned this the hard way last year when they fell victim to a version of the classic CEO email W2 phishing scam. A Human Resources employee sent payroll information on all of the company’s employees to a third party and exposed everyone to potential identity theft. The company then paid for fraud protection services for each of their employees.
An example of a W2 phishing email. The message appears to come from an executive at the organization.
Careless risk takers
Careless employees might expose a company to dangerous attacks by ignoring security warnings while browsing the internet, misconfiguring networks with lax or no security, or disregarding training and other policies.
A classic example of this is the 2013 Target breach. In this instance, an employee at a Target partner opened a malware infected email attachment. Due to poor internal controls, including the widespread use of default passwords by target employees, the infection spread widely and quickly. There was also no system of segregating the point of sale systems at all stores. So once they gained access, the hackers had free reign over all customer data including card numbers. They eventually stole more than 40 million credit and debit card numbers.
Although the attack was initiated outside of Target, the company’s negligence on multiple levels made the breach much worse.
A third type of internal threat comes from disgruntled employees, angry ex-staff members and other malicious actors from within an organization. Depending on the person’s level of access, these types of attacks have the potential to cripple an organization.
One notable example came back in 2006, when Roger Duronio, a UBS Wealth Management systems admin used a "logic bomb" to attack his company's network. Angry that he only received roughly half of his promised $50,000 bonus, Duronio shorted the company's stock and then used his knowledge of the network to take down 2,000 servers and cause more than $3 million in direct damages (and millions more in indirect costs). He was eventually sentenced to almost nine years in prison.
So what can you do? How do you protect your organization from these three unique threats?
There are several ways that an organization can proactively address these possibilities and institute a culture in which data breaches are taken seriously.
Appreciate the sophistication of cyber attacks, your susceptibility to them, and their potential for damage in terms of operations and brand reputation. Remain vigilant. Understand that cyber crime prevention needs to be a top priority at the firm.
Using a risk register will help a company's C-suite and department heads understand cyber risk exposures. Once the risks are identified and mitigation strategies evaluated, the organization can develop plans to strengthen security.
Train employees regularly and vigorously on phishing scams
In addition to thorough training on cyber safety best practices, engage with a firm to conduct penetration testing. This will allow your organization to identify additional weak points that may not have been visible before.
Implement a strong and robust cyber policy
Solid policies and procedures will go a long way in making cyber security a part of the company culture. In your policy you'll want to put in plenty of fail-safes including email encryption and filtering, role-based "need to know" access, encryption of mobile devices, two factor authentication, as well as rules on how to manage sensitive information.
Not sure where to start? Here’s a cyber policy example.