[1]By Legal Futures’ Associate Amazing Support [2]
This may come as a shock to many lawyers but the amount of threats (as defined by CSOs, IT managers and security specialists) are found within the confines of a firm itself. Yes, hackers do still exist and there are times when they succeed in their nefarious deeds and penetrate security measures and cause a breach. And, while this type of cyberthreat is the kind to be highlighted in the front pages of newspapers and magazines, it represents but a small fraction of cybersecurity threats to a firm.
Whether they want to believe it or not, the biggest threat to the overwhelming majority of firms comes from within. Whether their actions were intentional or not, employees not hackers are considered to be larger threats to a firm’s security. Most alarming is that these incidents of error are not decreasing, but are increasing steadily.
In a recent study by IBM, it was found that a third of all cyber attacks can be directly linked to the actions (or lack thereof) of its employees. Disgruntled employees who often have access to sensitive, and even classified, data are a likely cause. These employees simply copy the data to a flash drive or upload it to a third party cloud service, and just like that the firm’s security measures have been breached. These types of offenders are usually trained and know the ins-and-outs of the system enough to bypass its security protocols. These employees are methodical and act with deliberate intent, often having planned the heist for week or months ahead of time.
Then there are opportunists. These bad apples often stumble across a weak link in the security fence, quickly exploit it and harvest any and all data made available to them. They often do not know what to do with the data they just pilfered. If the data contains money that can be easily liquidated then that is the most likely course of action, however another likely event is that they would sell the information on the black market, which in this day and age is easily accessible via the Dark Web.
Finally, there is the last category which is a catch all for errors of omission. These can include anything from poor email handling strategies to bad decision making and phishing strategies. Basically, in this category employees do not intend to expose their company to a cyber threat, but because they failed to pursue the correct course of action, they have basically let the fox in the hen house.
The bad news is that these are very real scenarios and the roles that insiders play in putting the company in danger has been on a steep uptick. The good news is that strategies can be implemented to decrease such incidents and even eliminate them altogether (in some cases). Errors of omission, while broader, may be the easiest to tackle, that is because there are protocols that can be created to plug the leaks and fortify the wall of security that surrounds a firm’s systems. Email handling, web surfing and download protocols should be created and enforced throughout the organisation without exception. And yes, that includes the C-suite of executives.
The human component is a bit harder to deal with as you never know when the “switch” will be flung in the minds of people. What may be a great and stalwart employee one day, may very well be a malicious hacker the next day. Compartmentalisation of systems and restricting access to those that have been cleared to do so will definitely decrease the amount of intrusions and internal hacks that occur. Furthermore, making things just a little bit harder to access is often all it takes to deter or hinder the opportunist from going through with the crime. By creating a blacklist of sharing software and cloud services that can be run on company devices, you are effectively decreasing the number of outlets with which a disgruntled employee can smuggle out company data. Employ deep analytics that are able to track who has accessed what files and directories, and it should be able to send out a warning if file transfers are taking place.
It should go without saying, but it is still worth a mention that the easiest way to prevent a lot of intrusions and cybersecurity threats is to implement a data security plan. Many would be surprised at how the implementation of even the most minimal of security measures is effective at deterring a great deal of threats, both externally and internally. The amount of threats your company is exposed to just gets smaller, the more layers of security are added. While this last piece of advice may seem like a “no-brainer”, the sad fact is that more often than not businesses choose to operate without even the most basic of cybersecurity measures.
While it may seem normal, even natural, for firms to keep their vigilant eyes looking outwards, they should pay equal attention, if not greater, to the on-goings and threats that may come from within. So why then does it seem that only external attacks make the headlines? Well that’s because no firm ever wants to admit that it hires criminals or those that can be perceived as criminals. There are public relations and optics to worry about after all.
Now more than ever, firms must know or should know their employees on a much deeper level in an attempt to discern their motives, intent and whether or not they are seeking to harm the firm. This is not to say that firm’s should not trust their employees, indeed doing so may very well lead to that firm’s demise. However, the figures do not lie. Attacks are coming from within, and since firms are already investing in security to prevent attacks from without, it should not take that much more to implement measures from internal cyber attacks.