- Security TWENTY
- Women in Security
Earlier this year, the Information Commissioner’s Office (ICO) announced that it intended to hand out its biggest ever fine (£183m) to British Airways for a data breach. The hot topic of cyber security was thrust back under the spotlight by this news. Though this breach was apparently the result of a ‘sophisticated, malicious criminal attack’, the truth is that it’s easier to steal information from a company than many might think, writes Mark Rodbert, CEO of the analytics and software company idax Software.
One of the biggest weaknesses for a company’s security lies in its staff. A business can have all the most sophisticated and intelligent tools and processes in place, but if it doesn’t have a good security culture, it is doomed. Employees must understand the impact and importance of security breaches and what they can do to avoid them. Otherwise, what is to stop a determined threat actor from simply tricking an employee into giving away sensitive information?
Data theft isn’t always carried out by a stereotypical hacker, sat in a dark room, typing away at a laptop using code to weave through various security systems. It’s not all Anonymous, Fancy Bear and Lizard Squad. There are two key ingredients that provide the perfect conditions for threat actors to operate in: an employee’s access to data that they shouldn’t have, and a lack of knowledge, or vigilance, when it comes to protecting information.
How often do we hear someone willingly admit that they are ‘terrible’ when it comes to creating passwords? Far too many people use the same combination of words or numbers for everything, or have a specific formula for their next password. It’s dangerously common.
Now imagine a social setting – you’re at dinner, or having drinks with a group of people. The same conversation about passwords comes up, one person admits that they always use their next holiday destination. Everyone laughs, the conversation moves on and that throwaway comment is forgotten about … by most.
However, a little later, an unknown threat actor starts chatting to that same person. They start talking about holidays, he’s jetting off to Barcelona in a few months. And in that instance, this threat actor – who for all intents and purposes is nothing more than a friendly acquaintance – has the power to access all the data and systems that the soon-to-be holidaymaker can. A very straightforward example, but the principle stands.
Another hard truth for businesses is that not only do employees get tricked into handing out passwords, but they’re also frequently blackmailed or bribed. In fact, 25 per cent of people admit that they would be willing to sell company data for less than $8,000. And it is only made worse by poor (or sometimes even non-existent) access management systems. Even if an organisation has countless security systems in place designed to stop external threats, there are still employees within these companies that have access to information that they shouldn’t. According to the Ponemon Institute, 71pc of people say that they have access to important information that they shouldn’t, and what’s worse is that companies are rarely aware when this is happening. As a result, employees don’t receive the correct training, nor is the right culture in place to help protect the organisation from insider threat. Whether an insider maliciously intends to take information, or if they unknowingly give it away, this oversight can cause huge trouble for businesses.
Changing company culture
It’s surprising that so many organisations can be so careless when it comes to cyber security, especially considering how heavily we rely on digital devices to store both company and personal data. Protecting a company from outsiders is all well and good, but the need to fight against internal risks is just as important. After all, these are the biggest threats to a company’s information. A business needs to have the right culture in place. Employees must not only be aware of what they can do to protect company data, but they must also buy into the ethos of wanting to protect it. Companies can achieve this by implementing a few simple but effective steps.
Employee training. It’s common in some industries, such as financial services, and security, for new starters to go through rigorous security training as part of their induction. But surely this is relevant and necessary for every organisation? Simply focusing on two or three big problems that the company typically faces can go a long way.
Access rights. In the wrong hands, sensitive information can become dangerous for a business, and reviewing these rights is a simple way of stopping this possibility from coming to fruition.
A strong leadership drive. As with most internal business practices, change should come from the top. If the leadership team is strong on security, this will inevitably trickle down to the rest of the staff. Implemented alongside clear security policies and security-based incentive schemes, a company’s staff can quickly understand the importance of security, and buy into the philosophy.
The biggest risk to a company’s security is its own staff – which makes this the biggest opportunity for malicious actors. Too much focus can often be placed on stopping outside threats, while companies ignore internal problems. Reform from the inside can go a long way in preventing data threats. Once staff understand the importance of keeping company information safe, and act vigilantly to protect it, companies can quickly cut the risk of information being stolen.