In 2014 alone, IDC research estimates that enterprises will suffer £188 billion losses caused by cybercriminal activity from around the globe. IT security professionals working in organisations the world over are now facing the daily reality that a war is raging in cyber space and they are the targets.
With all the media attention focussed on threats from external forces, it’s easy to forget about the dangers posed by your own employees. Last year, Cyber security firm Clearswift released their Enemy within survey in which they unearthed the surprising statistic that 58 per cent of security threats emanate from within the organisation. These internal threats were attributed to three categories: current employees, ex-employees and trusted partners.
Do not misunderstand me: not all employees are sinister criminals! Doris the tea lady isn’t masterminding a covert cyber-attack in league with the Legion of Doom (though I wouldn’t put it past her). For the most part, security threats originate from employees who harbour no ill intent towards the company, but that doesn’t make the threat any less real.
Let’s take a closer look at some of those threats and how to mitigate the risk.
3. BYOD (bring your own device)
This phenomenon spreading through enterprises is the ever-growing nightmare of every IT security professional. Integration of mobile devices into everyday life has blurred the lines between work and play. Employees are now unwittingly putting company information at risk without even realising. The following figures from Norton’s Cybercrime Study are enough to chill the blood of even the most courageous IT Security experts.
- 49 per cent of respondents access or send personal emails through their work device
- 27 per cent of employees store personal information on their work device
- 30 per cent of parents let their kids download, shop and play on their work device.
Minimise the threat by:
- Creating strict policies for BYOD
- Securing company data with mobile application management
- Educating employees on the dangers of misusing devices
- Putting a virtual desktop on company phones, check out Desktone by VMware
2. Programming errors
Bugs, defects and flaws coded into the logic of a program are a common cause for software vulnerabilities. Cybercriminals root out these security weaknesses and exploit them to extract data, corrupt programs an even hijack your computer systems and networks. Employing a software developer or programmer who is unwise in the ways of secure programming, could expose your organisation to significant risk.
Not to mention the added burden of fixing security weaknesses coded into existing programs. Patching a bug post release costs, on average, sixty times more than fixing that very same weakness during the design phase.
Minimise the threat by:
- Ruthless efficiency in the design phase to identify and fix any bugs
- Sending your software developer or programmer on a training course. The EC-Council Certified Secure Programmer course (ECSP) was specifically designed to address this kind of issue.
- Auditing all your existing programs for security vulnerabilities
1. Pirated software
There is an undeniable link between pirated software and cyber security breaches. Since its inception, the internet has facilitated a culture where illegally downloading software has become common practice. Cybercriminals use pirated software as a means through which to infect a user’s computer with malware and subsequently steal data.
A visit to the Play It Safe website created by Microsoft’s Digital Crimes Unit will tell you that 27 per cent of employees admit installing their own software on work PC’s. This resulted in nearly 20 per cent of pirated software across all enterprises and was the attributed as the root cause of several major data breaches.
Minimise the threat by:
- Creating strict security policies for the download of software
- Ensuring regular security audits of end user PC’s
- Educating employees on the dangers of pirated software
In the on-going fight against cybercrime, education will play a central role, after all, you’re only as strong as your weakest link. You can have the most sophisticated security systems on the market, yet all it takes is a single employee with a “qwerty” password to unwittingly open the door to cybercriminals.
It’s vital to educate your employees in the field of security, whether it’s through in house training or a third party organisation. It’s worth taking the time to check out the Security Quality Assurance Program from EC-Council.
Their initiative tests your programmers and employees to gauge their base knowledge in the field of security. Employees who pass the exam attain a certification; whilst those who fail can be considered for additional training to boost their security proficiency.
Edward Jones works for Firebrand