CISOs Reveal the Most Likely Culprits for Data Leaks

As an ITAD and data center migration company, Exit Technologies has a vested interest in data security. In this regard, we consulted with several CISOs on the topic of cybersecurity. Specifically, what challenges currently affect data security, and what they view as the largest culprits responsible for data leaks in recent times.

Interestingly enough, from what we learned from the range of individuals we spoke to, there was one common thread.

Human Error
Said Yassin, who is the CISO at Bank of Richmondville told us “more than 95% of all incidents cited human error as a contributing factor to the attack/breach/leak.”

He advised what steps can be made to minimize these incidents: “Employee behavior can be rectified with more training and vigilance. It is also critical that moving forward, companies put in place policies and procedures to prevent negligence when protecting consumer data.”
Goran Kunjadic, the CISO for NLB Banka Beograd elaborated on this: “Users are usually the weakest link in the security chain. [If you want to break in] you can just follow the bank employee with the mobile device trying to intercept his/her communication. Or you can infect his/her device with malicious code in order to collect data automatically.

“Even the most careful users are making mistakes from time to time... [which is] bad for data leakage, but good for attackers. Another important thing is that the top management can access [critical] data. At the same time the top management also are [often] the most careless users.”
A CISO that would prefer to remain anonymous shared the view that many of these issues can be prevented by security-aware employees: “If employees are educated, motivated and if there is an individual's awareness of the importance of data protection and security within the organization, then the risks will be mitigated.”
Human error will always be a factor to overcome; however, a lack of cybersecurity education is an issue with a solution. Education creates an environment in which aware employees can individually assess risk and raise security concerns. A factor that could play an important part in the development and implementation of new security controls within an organization.
As technical solutions to possible risks inevitably involve system upgrades, adequate training in new technology is required as a system is always based around its users.

Therefore, a company can invest significant resources into its technology; but, if its people’s skills aren’t also receiving regular upgrades, then much of this potential could be lost.
Lack of Visibility
We spoke to Michael Michie, the CISO of M Oriental Bank Limited to get his perspective on the challenges to data security. “I think it would be lack of visibility of the data and the visibility of the value of the data. If you know what to protect you will do it well, if you don't know what you are protecting or the value [of it] then you are lining up for failure.”
Unsecured System Configuration
Kunjadic revealed that unsecured system configuration is a sizable issue, giving an insight into possible areas an attacker might exploit: “[When looking at networks], some of the common attack areas are: unsecured applications that allow RAM memory reading, communication interception, undetectable malicious code installing.

“If I were [an] attacker, I would first try to investigate assets that are visible from...outside the system. [This is referred to as the] ‘attack surface.’ Then I would try to investigate any possible ‘hole’ that [would] allow me to enter the system, and implement the code which will collect desired data. Based on that data, I would create the taxonomy of the attack.”

Lack of Investment from Leadership
Joe Sullivan, the CISO at RCB Bank shared a thought-provoking insight. He believes negligence among partners can be a more considerable culprit for data leaks than mistakes from within infosec departments: “[There’s] not enough staff that has the time to perform threat hunting, vulnerability analysis, and reporting… [With many companies, there’s a] lack of investment in training for the infosec team[...] [a] lack of investment in tools and monitoring for proactive alerts and logging…[and a] lack of an effective incident response program… [Another issue is] aversion to patching, updating, securing, and upgrading outdated technologies due to business impact.”
Internal struggles born from departmental restrictions are a common issue for many organizations. Infosec teams are not likely to be lacking in motivation, but their awareness of possible issues may be counteracted by business decisions that inhibit these issues from being addressed. The results can be the kind of reputation-damaging, newsworthy data breaches that all organizations dread.
The Solutions
As you may have concluded, the common thread raised by all of these individuals is that the biggest causes of cybersecurity issues come down to human error. This insight is critical to negating error margins because the circumstances that lead to these blunders are often avoidable.
As suggested by our expert CISO sources, education, motivating employee vigilance, visibility, and investment can all play vital roles in maintaining data security. Practical elements that are achievable to action.

What’s Hot on Infosecurity Magazine?