We all are living in an era of cyber revolution. Technology is growing at a fast pace day by day. A new technology developed today will be an outdated one tomorrow. With the growth of new technology security threats are also increasing in an unimaginable way. The major cyber-attacks reported recently gave a clear early warning indicator to all of us to be aware of the impact of a cyber-attack and to be resilient to face any cyber-attacks.
We regularly monitor, manage and keep updated with the changes in the global capital and credit markets. We spend enough time closely watching the development of our competitors to get ahead of them in the market. But still we are not paying attention to the risks involved in our enterprise cybersecurity. A cybersecurity breach will result in loss of sensitive data or information that will finally losing your company reputation, losing your clients and losing a great deal of money. Like any other corporate risks, cyber risk should be dealt with as a high priority and should be managed from the top. Since the frequency of high profile cybersecurity breaches are increasing, it is critical that CEOs and boards understand, focus and proactively manage cyber risks.
Let's consider some examples of recent cyber incidents
OPM data breach: The U.S. Office of Personnel Management (OPM) serves as the human resource department for the federal government. The agency issues security clearances and compiles records of all federal government employees. In June 2015, the OPM announced that it had been a target of data breach compromising the records of more than four million people. The breach had been detected by the agency on April 2015. The OPM breach has been described by federal officials as the largest breach of government data in the history of United States. Main target of this breach is the PII (Personally Identifiable Information) such as Social Security numbers, names, addresses, date and place of birth.
Anthem medical data breach: Anthem Inc., the second largest for-profit managed healthcare company in US, disclosed in February 2015 that they had a data breach and the cyber criminals potentially stole over 37.5 million records that contained PII from their servers.
Sony Pictures data breach: Sony Pictures suffered a massive data breach in November 2014. The breach involved personal information about Sony Picture employees and their families, sensitive information of people in film industry, copies of unreleased Sony films and other information. The hackers claimed to have taken over 100 TB of data from Sony Pictures.
These incidents clearly show the consequences of a cyber-breach which includes huge financial impact due to loss of sales and customers, financing or lawsuits. This also results in long term reduction of competitive position due to loss of business plans, loss of reputation and trust.
Are all these breaches caused by external attacks by cyber criminals? The answer is an absolute NO. It's usual that we think of a cybersecurity threat as a hacker or adversary attempting to penetrate to your systems from external network. There is no doubt that there is a high magnitude of external attacks. At the same time we should give priority to internal cybersecurity threats.
Considering many data breach instances, we know that the leakage of data also happens from inside the company network. The best example is an employee who unknowingly uses a USB storage stick that has malware on it. When the person plugs in the device to a computer connected to the enterprise network, the malware is transferred, gathering data silently and sending it outside the corporate network. Many employees who telecommute will not have secure home networks. This increases the possibility of malware being transferred from their home network to the corporate network through laptop, smartphone or any other devices. Another example could be an employee losing his/her laptop or smartphones. Many of these devices does not have full-disk encryption enabled or remote wipe configured. The risk of losing sensitive data is high in this case.
Organizations have now started implementing a BYOD policy because of its advantages, which include cost savings for the company, increase in productivity and employee satisfaction. A weak BYOD strategy will result in big security issues and vulnerabilities. For example, there is a high possibility of merging work data with the personal data in the device, which can cause leakage of sensitive corporate data with or without the knowledge of the employee. Another security issue occurs when friends or family members of the employee use the device, and their activities in the device result in data leakage. Also, the security threat is high if the employee sells his device without proper wiping, loses his device or if he resign from the organization.
Many corporates are now using cloud storage services such as OneDrive, Dropbox etc. to share and store sensitive data. Recently these services had increased their security by implementing two factor authentication. But this two factor authentication is helpful only if the person access these services through the web interface to upload the files. But most users are using the apps or software version provided by these services for convenience in uploading files. Instead of uploading the files via the web interface, users can simply drag and drop the files to a particular folder in their laptop which syncs automatically with the online service and uploads a copy of the files to the cloud. If the device was stolen by criminals, they can get access to these files easily. If the employee is using weak passwords or the settings are not configured properly, corporate data will be at risk with these type of services.
Another potential risk which affects internal cybersecurity are disgruntled employees. They can copy sensitive data to a USB stick or their smartphones and simply walk out of the office with it. Also, if an employee who has access to a corporate network from his laptop or any other portable device, they can setup his own portable Wi-Fi hotspot. If it is configured with weak password or no password, this will result in serious security issues.
According to security experts, there is a swift increment of extremely sophisticated socially-engineered attacks in which cyber criminals gain access by using other intelligent methods. For example, there are several cases reported in which hackers made calls to IT help desks and impersonated employees. It is not difficult to gain enough knowledge about a person via social media and the resources available on the internet and convince the IT department to reset password over phone. Also, it has been reported that hackers are penetrating corporate networks using Attack as a Service (AaaS) model.
There is no doubt that the external cybersecurity threats have a high adverse impact. But we must pay serious attention to the internal threats also. Giving good security awareness to employees, implementing strong technologies, policies and procedures will help to reduce the risk of internal cybersecurity threats in an organisation.