Nearly one-third (32 percent) of businesses have been victims of a major cyber attack over the past year, according to a current survey jointly published by Harvey Nash/KPMG. Each year, the corporate world loses $388 billion dealing with, and recovering from, breaches in cyber security; the amount spent on remediating computer viruses alone has reached about $55 billion per year, according to PCMag and the WebPageFX blog. While cyber criminals generate considerable attention and news, cyber security experts like Spohn Security Solutions indicate that much of the threat comes from within an organization.
The Harvey Nash/KPMG survey of 4,500 CIOs and technology leaders from around the world found that the insider threat is the fastest-growing security risk of all. Fifty-five percent of businesses surveyed reported a security breach due to a malicious or negligent employee, though 60 percent believe their employees are not knowledgeable or have no knowledge of the company’s security risks. Alarmingly, 50 percent of the individuals causing a breach were granted insider IT system access by their organization.
OneLogin, a startup in California that helps enterprise companies secure cloud applications, recently failed to protect its own data against a breach, compromising 2,000-plus clients. The error, which was detected May 31, though inadvertent, is causing the company to focus its efforts on trying to restore customers’ trust. Clients include Pinterest, Airbnb, Yelp and Pandora
“Employees and contractors pose a great security risk to businesses as they have been provided with access to a company’s network infrastructure,” points out Timothy Crosby, senior security consultant for Spohn Security Solutions. “While some employees may act maliciously against their organization, many cyber security breaches are due to negligence or inadvertent error.”
Businesses that fail to communicate potential risks and how to defend against them are likely to experience non-malicious threats to security due to human error. In fact, 95 percent of cyber security breaches are due to accidental human error. Such security breaches may include accidentally posting sensitive information on the company’s public-facing website, emailing restricted information to the wrong party or improperly disposing of confidential records.
To safeguard a network, security experts believe it is imperative to identify potential vulnerabilities through a information security risk assessment. A business must be aware of the intricacies of their own network in order to guard against cyber breaches. Company leaders should have knowledge of what data must be protected, where this data resides on the network and who has access to it. Once vital and sensitive data is identified, access should be restricted and backups created.
Once weaknesses have been identified through an IT risk assessment, an organization should tightly control employee access to network infrastructure and restricted data. “Human resources and the IT department need to work together to coordinate access to sensitive systems and information,” said Crosby. “Until an employee is familiar with security protocols and the proper way to handle sensitive data, they should not be granted full access.”
Crosby additionally recommends using a professional third-party security service to vet new technical employees and contractors before they are given clearance to work within a business’s infrastructure. In addition, it is important to promptly disable access to the system when an employee leaves the company.