Earlier this year, the Information Commissioner’s Office (ICO) announced that it intended to hand out its biggest ever fine (£183m) to British Airways for a data breach. The hot topic of cybersecurity was thrust back under the spotlight by this news. Though this breach was apparently the result of a ’sophisticated, malicious criminal attack’, the truth is that it’s easier to steal information from a company than many might think.
One of the biggest weaknesses of a company’s security lies in its staff. A business can have all the most sophisticated and intelligent tools and processes in place, but if it doesn’t have a good security culture, it is doomed. Employees must understand the impact and importance of security breaches and what they can do to avoid them. Otherwise, what is to stop a determined threat actor from simply tricking an employee into giving away sensitive information?
Data theft isn’t always carried out by a stereotypical hacker, sat in a dark room, typing away at a laptop using code to weave through various security systems. It’s not all Anonymous, Fancy Bear and Lizard Squad. There are two key ingredients that provide the perfect conditions for threat actors to operate in: an employee’s access to data that they shouldn’t have, and a lack of knowledge, or vigilance, when it comes to protecting information.
How often do we hear someone willingly admit that they are ’terrible’ when it comes to creating passwords? Far too many people use the same combination of words or numbers for everything, or have a specific formula for their next password. It’s dangerously common.
Vulnerability Through Complacency
Now imagine a social setting – you’re at dinner, or having drinks with a group of people. The same conversation about passwords comes up, one person admits that they always use their next holiday destination. Everyone laughs, the conversation moves on and that throwaway comment is forgotten about…by most.
However, a little later, an unknown threat actor starts chatting to that same person. They start talking about holidays, he’s jetting off to Barcelona in a few months. And in that instance, this threat actor – who for all intents and purposes is nothing more than a friendly acquaintance – has the power to access all the data and systems that the soon-to-be holidaymaker can. A very straightforward example, but the principle stands.
Another hard truth for businesses is that not only do employees get tricked into handing out passwords, but they’re also frequently blackmailed or bribed. In fact, 25% of people admit that they would be willing to sell company data for less than $8,000. And it is only made worse by poor (or sometimes even non-existent) access management systems. Even if an organisation has countless security systems in place designed to stop external threats, there are still employees within these companies that have access to information that they shouldn’t. According to the Ponemon Institute, 71% of people say that they have access to important information that they shouldn’t, and what’s worse is that companies are rarely aware when this is happening. As a result, employees don’t receive the correct training, nor is the right culture in place to help protect the organisation from insider threat. Whether an insider maliciously intends to take information, or if they unknowingly give it away, this oversight can cause huge trouble for businesses.
Removing the Risk
Idax has created a solution for companies that are worried about important data falling into the wrong hands. Our solution analyses which employees have access to what, and highlights those who have unusual rights compared to their peers. These are the employees that can be the greatest threat to a company – whether they’re acting maliciously or not. If an employee isn’t clued in on how to protect their organisation’s data, there is little to stop a threat actor from stealing company information.
Idax allows managers to take charge of access rights with ease and accuracy, potentially avoiding the risk of cyber breaches in what is otherwise viewed as a dull and thankless task.
Mark Rodbert, CEO, idax Software