Data Breaches Often Originate Behind Your Defenses

Written by

No business is immune from cybercrime and the theft of personal information and intellectual property will increase as the ability to turn raw data into money-spinning opportunities increases. The response to cybercrime is a business decision – and is all about risk management. Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls. 

In some cases, those insiders are driven by malicious intent – either to enrich themselves by selling sensitive data or to retaliate for perceived mistreatment. There are also cases where a company’s third-party contractors, vendors, or temporary workers with access credentials have been responsible for their client’s network breaches through ill intent, negligence, or accidental disclosure. 

According to a survey of Information Security Forum (ISF) members, the vast majority of those insider-originated network openings are created without any intention of harming their employer. In a number of cases vulnerabilities resulted from trusted employees in the course of their normal work routine: taking files home to work on in their own spare time, or unsuspectingly opening a phishing email or clicking on a malicious link. 

Unintentional Damage
An employee’s work on a confidential company document downloaded through their local coffee shop Wi-Fi can expose the user and their employer to anyone within range who wants to piggyback on the employee’s signature and gain access to sensitive files. The same applies to moving data over consumer-grade FTP services, responding to authentic-looking phishing messages, careless password management, misplacing devices containing privileged information, visiting an infected website, or opening a Trojan horse virus attached to a seemingly normal email. 

All of that has happened – and it continues happening with such great frequency that it has largely resulted in public fatigue over data leaks. That blasé attitude is not shared by information security professionals; indifference compounds an already thorny problem – one that grows more challenging each year. Frequent, well-intended admonitions to employees urging them to take security seriously by creating strong passwords, to study policy documents and to otherwise do the right things, are too often given lip service or overly broad interpretations. 

Boilerplate email disclaimers warning recipients to immediately delete the message if he or she is not the intended recipient are routinely ignored. Lists of hard-to-remember and frequently changed passwords are typically written down and kept within easy reach of the person’s computer. The distinctions between work and personal information kept on an employee’s mobile devices are increasingly hazy, as are related employer policies. 

The Human Element
Combatting the wholesale theft of data by limiting inadvertent actions that could lead to its misappropriation should be a priority for every organization. Investment in technologies that can help to prevent intrusions and protect data from attackers – and there are many such options available – is essential. 

However, the most fundamental element of threat is deeply human. It starts with the proper vetting of employees to look for signs that the individual has not, in the past, been a responsible steward of information entrusted to them. Applicants whose pasts have included questions over managing information should not be brought onboard. 

Even so, the temptation to categorize job applicants as either good or bad is naive. While people who have shown themselves to be untrustworthy in the past are certainly a gamble, even good people have the capacity to willfully misuse their data privileges, particularly when someone feels as though they have been mistreated, disrespected, or abused, an otherwise trustworthy person could develop the motivation and ability to retaliate. Therefore, an important part of the solution is to avoid putting employees into situations that are likely to undermine their trust and engender resentment. 

The Trust Factor
In the future, I suspect that mobile devices will capture more data online than all other devices put together, and for many small businesses of course this is already the norm. Against this emerging landscape, security should be aiming to become a strategic and an intrinsic part of the way we behave online. For security professionals, this presents challenges and today’s successful CISO’s are increasingly needing to become ‘people’s people’- technically competent but highly business-aware, charismatic individuals with strong people skills. 

What is needed is the cultivation of a culture of trust. Cultivating this philosophy is likely to be the single most valuable management step in safeguarding an organization’s mission-critical information assets. After new employees have been satisfactorily screened, continue the trust-building process, starting with onboarding procedures, by equipping them with the knowledge and skills required of trusted insiders. 

Expectations of trustworthy behavior – and the consequences of non-compliance – should be made explicit from the outset. Over time, trust should remain an important factor in periodic performance reviews. Mechanisms for anonymously reporting suspicious workplace behavior should be made available to all levels of staff. 

Above all, senior management must lead by example. Building a culture of trust around shared values, ethical behavior and truth begins at the top. Security awareness and the importance of cyber hygiene has to be regularly addressed in communications, trainings, and policies. Trust and ethics are increasingly important, not only to information security, but also to customer relationships, brand building, and competitiveness.

What’s hot on Infosecurity Magazine?