The accidental cyber threat
Some recent headlines: ‘An organisation accidentally sends thousands of confidential banking records to customers’, ‘A laptop, containing confidential patient records, has been stolen from the hospital’, ‘Personal details of 550,000 blood donors leaked’.
These headlines all point to one common problem, which is an accidental data breach. The Breach Level Index (B.L.I) report found that approximately 20 percent of all data breaches happen accidentally. In the first news report an employee gathered the necessary payment information and “simply” sent it to the wrong customers. In the second news report the employee left his laptop connected with a security cable on the table, when the thief cut the cable and stole the laptop. The employee even left the password written on a note near the laptop. In the last article a file containing details about all these donors was left on the development website when an unauthorised person accessed the data.
Big Sky conducted a survey wherein the most common causes of accidental insider threats are identified. Two of the most common causes that stood out are phishing attacks and copying data to insecure devices. A phishing attack is an attempt to obtain sensitive information by disguising as a trustworthy entity and is a social engineering technique.
Concerning the accidental data breaches there are a couple of ways to address this issue.
One of the ways is establishing basic safeguards. Password management is a vulnerability that should easily be mitigated. Requiring strong passwords and using a form of two-step verification reduces this vulnerability. Email traffic, web usage, network traffic and behaviour-based pattern recognition can be monitored to help detect who or what is a risk or who or what is trustworthy. This reduces the effectiveness of (digital) social engineering techniques in which employees are manipulated to expose their own or the company’s confidential data. There are many IT solutions that can support or monitor these safeguards, like a log correlation entry system, security information and event management system and the integration of physical security and network security data.
Another way is to continuously train employees to reduce errors. Firstly all employees should be trained during onboarding in basic information security practices. Secondly this training should be given continuously. A way to maintain the basic information safeguard knowledge is to take periodic refreshers. This could be done in a way in which the employee has to take a test, but there are many out-of-the-box ways to train employees. To train employees about the risks of phishing, the organisation could circulate random fake phishing emails and manage employees who click on malicious links. In this way the organisation can use targeted training efforts whilst also providing a measurement of continuous improvement. In addition to continued training, employees could be rewarded for good behaviour. For example the employee who discovers and notifies IT about a complex phishing mail first, could receive a small reward like a free lunch.
All of these possible solutions will not eliminate all of the risks. Teaching and training employees about cybersecurity and rewarding their good behaviour, using software to set authorisation rules and software to monitor their online behaviour could be the difference in exposing confidential information and protecting confidential information.
Sources:
- http://breachlevelindex.com/assets/Breach-Level-Index-Report-2016-Gemalto.pdf
- https://www.theguardian.com/australia-news/2016/oct/28/personal-details-of-550000-red-cross-blood-donors-leaked-in-data-breach
- http://blog.isc2.org/isc2_blog/2016/03/the-accidental-security-threat-insiders.html
- http://www.bigskyassociates.com/blog/the-accidental-insider-mitigating-unintentional-data-leaks
- http://www.information-age.com/cyber-enemy-within-rise-insider-threat-123458593/
Martien Brouwer is an experienced IT business consultant, holding a major in Business IT & Management. He operates a company specialised in SME IT solutions and has extensive experience understanding business needs with regards to cyber security. Martien is committed to building awareness of the implications of cyber crime.
Alan Douglas
July 22, 2017 at 3:32 pm
Most employees I have come across, whilst being aware of the hazards are still lax in their use of the equipment. It nearly always comes down to human error and that human is mostly the operator. People under about thirty seem to be oblivious about the amount of information which can be guessed/implied from computer useage as can be readily seen from reading Facebook pages. I have often been in areas where the wearing of ID tags is compulsory, but the tags are often not readily readable. One staff member I came across has replaced his photo with that of a gorilla and this was nor detected for some days. It appears that some people are more security conscious than others so maybe we should take this into account when placing staff in such areas.
admin
July 27, 2017 at 11:06 am
Hi Alan, thanks for your comment. Targeted education programs could alleviate this problem somewhat, however I agree that many people are aware of the dangers and continue regardless. Perhaps a shift in the message is needed or a cultural change – as with all disruption, we had better catch up quickly…