Not all Insider threats are malicious in nature, some problems are just laziness, incompetence, not paying attention, or just plain mistakes. How does Murphy’s law for Cybersecurity work again?
Social engineering is when a someone (usually an evil criminal hacker) tries to trick you by using your good intentions of going about your business on an every day basis.
What happened when evil hackers wanted to change Point of Sale Credit card systems?
They were not turned away at Michael’s and in fact were allowed to install their own credit card systems, since no one checked if that was sanctioned by corporate or otherwise(no process to see that) and sales associates go along with social engineering scams if they are well executed.
Then of course the evil hackers captured all credit cards as used by shoppers in that location.
Here are some uncomfortable insider threat truths:
- The average hacker stays hidden in the network for 140 days.
- 45% of IT personnel knowingly circumvented their own policies
- There has been a 29% increase in the total cost of data breaches sine 2013
- 20% of organizations experience a BYOD (Bring Yur Own Device) breach
- 78% of people aware of the risks of unknown links still click on them anyway
- 65% of professionals identified phishing and social engineering as the biggest security threat
- 70% of millenials admitted to bringing outside applications in violation of IT policies
- Trade Secrets lost – Employee of company’s trusted business partner stole the information before accepting job from competitor
- Virtual machines Data loss – closely guarded computer code can be exfiltraded using virtual machines which are hard to detect.
- File sharing not secure(dropbox and more), as employees abruptly quit their job and former employees retained cloud access
There are many more stories of businesses not double checking as they should…
When we do not double check a single mistake can blow up to a serious mistake and then it mushrooms from there.
The biggest problem with Cyber attacks is that they are hard to find and attribute (find who did it and blame them/ arrest them). That is why it takes so long to find an attack that was successful (140 days or more).
If you have not thought about this then it is high time to do it. Cyber attacks are becoming more sophisticated and can cripple your business by taking over key pieces of machinery. As we move to the new year (2018) and if there is no thought put towards cybersecurity… Then it is high time you did because the solution is not very hard or that costly if you compare the loss to your reputation.
There are actions to be done to minimize risks.
An average Hacker stays hidden for so long you will not know what is happening until it is too late. Do you know how companies find out? When the authorities contact the company and tell them the bad news.
There are many bad news scenarios:
Company trade secrets are lost to a competitor –
Employee of the company’s trusted business partner stole the information before accepting job from competitor.
File sharing not secure, as drop box or other programs can be abused by employees before they leave to other jobs.
There are more real life scenarios cataloged in this youtube Video by SEI (Software Engineering Institute) Carnegie Mellon
Although each person makes a decision of good vs evil you have to help them make this decision a right one by setting the checks and balances within your company, and letting everyone know that there is a review of your actions. So if something does happen there is a paper trail, and it is not “lost” which is always the evil thought (they won’t find me).
The key is to get your company up to speed as the bigger companies do (what is called the Enterprise companies– 1000 computers and larger).
Contact Us as a CISA certified person we can help you with GRC (Governance Risk Compliance) as an enterprise company does things it always leaves a trail so that a criminal internal or external can be found.