The (Inadvertent) Enemies Within
By Barb Shegog
Firewalls and other preventive measures can be all for naught if the hacker is voluntarily let in.
When thinking about cybersecurity, top of mind thoughts are usually confined to firewalls, hacking, and generally, unwanted outsiders trying to get in. Yet the growing risk in cybersecurity isn’t that they’re on the outside trying to get in—it’s that they’re already inside.
That is, they’re unwitting employees who allow entry. Aside from phishing and other trickery, one area that raises concerns is of the “loose lips sink ships” variety. In other words, unintentional insider sharing.
The explosion of social media use has made employees increasingly vulnerable to oversharing—both personally and professionally. And the bad guys continue to invent innovative ways to get access to the company and employees continue to help them do it. Employees clicking on a spam link or falling for someone falsely posing as a supervisor and asking them to transfer money are on the rise.
So, while the Internet has created products that make life easier for everyone, unfortunately these products also make it easier for criminals. That humble brag posting on Facebook about a wonderful trip to the Seychelles can provide several opportunities for hackers to become you or your boss or someone with the authority to OK a million dollar cash transfer.
Cyber threats grow
The fact that criminals are becoming more sophisticated has risk managers increasingly concerned. According to the charts to the right, ERM members feel that cyber-risk has not peaked. The good news is that most feel senior management and IT understand the cyber-risk present.
Members also unanimously said that a successful cybersecurity strategy focuses on prevention and response in the following ways.
Prevention. One corporate cybersecurity expert who presented at the Corporate ERM meeting explained to members that one layer of his team is dedicated to prevention. This company also has a security engineering team that is aligned to the business teams. The prevention team looks for operational issues and drives programs to prevent bad things. Being cybersecurity focused is viewed as being critical in a functioning defense program, says the cybersecurity expert and noted that his company’s defense plan is formed by a standard framework that has evolved after several acquisitions. And so far it has been effective.
Response. Despite the best prevention efforts, bad things will happen. That’s why many members have security operations response teams running 24/7. To supplement the team, ERM members use several approaches to bolster their cybersecurity efforts including the use of external consultants and peer networking.
Going somewhere?
Several members also expressed a growing problem of data leaving the company. That’s because it’s getting easier to transport. Members suggested several ways to enhance monitoring of the walking data. One corporation monitors for unusual employee patterns such as several out-of-character large downloads or sending emails with large attachments. Another said they use templates that cannot be copied.
Members offered other ways to boost defenses, including:
The bug bounty—using ethical hackers and security professionals willing to help find vulnerabilities.
Phishing tournaments—employees are sent fake links to see if they click through.
Spam contests—employees receive points for turning in spam email.
Anti-fraud culture
It is important that business units understand cyber-risk is a business risk and not just an IT risk. Marketing can help here with cultural awareness and encouraging employees to be vigilant. But beyond this, companies also need to have a robust response team ready to go in case any bad things do happen.