Is it possible that the biggest threat to a businesses data isn’t from outside forces but from the woman or man working inside the walls of your company? According to a September 2016 article in the Harvard Business Review (HBR), 60% of cyber attacks involved employees of the businesses hacked. Roughly 75% of those employees were directly involved in working with the hackers while the remaining 25% were careless or were somehow deceived into becoming unwitting participants in the data theft. In contrast to the hysterical headlines of 2012-2015 where big box retailers and celebrities appeared to be the only victims of cyber attacks, the IBM study identified the top three industries receiving the most cyber attacks as:
- Health Care
- Financial Services
The health care industry has critical personal information on a majority of a nation’s individuals. Manufacturing organizations have proprietary information on product design, manufacturing processes, and new product development. While financial services companies are the entry points to the global financial markets where currencies, bonds, and financial securities are traded virtually 24-hours each day. As an example, the Wall Street Journal reported in May 2016 that the FBI suspects an insider was involved in the theft of $81 million from the Bangladesh Central Bank. The attackers successfully transferred $100 million out of the bank’s account at the Federal Reserve Bank of New York. Officials have been able to recover about $20 million of the money. This is BIG business!
So, how do businesses prevent their employees from participating in cyber attacks? Well, it may be more difficult than you think. A study conducted by Clearswift, a global cybersecurity innovator and data loss prevention provider, found that some participants were willing to sell company data for as little as $155. Don’t panic, the percentage was only 3% but as the dollars figures increased, additional participants raised their hands and said count me in. Following is a breakdown of the results.
|Dollar Figure Offered||Percentage Willing to Sell Company Data|
|Unwilling to sell at any price||65.00%|
The Clearswift-sponsored survey polled more than 500 Internet technology decision makers and 4,000 employees in the United States, Europe, and Australia.
HBR reiterates that while restrictive security policies may seem to be a valid strategy to protect a business against careless or malicious employees, this impedes productivity, hamper innovation, and frustrate users. Fortunately, analytics and the rise of artificial intelligence (AI) make spotting potential insider threats easier and less intrusive. Following are items to consider when reviewing the security of your companies data:
Focus on the right assets- Identify the most-valuable systems and data and then give them the strongest defenses and the most frequent monitoring.
Apply deep analytics- Deep analytics and AI can uncover deviations in behavior at the level of individual employees.
Know your people- Understanding the users who hold the potential for greatest damage is critical.
Don’t forget the basics- Applying software patches automatically closes that open window before a hacker can use it to access your network. Enforcing strong standards for user identities and passwords. Collect all the data and forensics you can on every device that touches your network. Train your people, test them, and then try to trick them with fake exercises.
Randall Smith – 1stel Marketing Analyst