The typical image many have of a cyber attack is an individual in the dark corner of a basement furiously typing malicious codes in the deep web to pull off intricate, multi-national data breaches.
In response to the fear over the deep web hacker, companies are increasingly building out cyber programs to protect themselves from their own employees as advanced threat detection programs are now hitting the market making data and activity tracking easier.
The Ponemon Institute found in its latest cost of cyber crime study that 35 percent of companies benchmarked reported a malicious insider was the source of cyber crime to which it fell victim. Thirty-five percent seems pretty significant, right? Of the nine types of cyber attacks measured in the study, malicious insiders came in ninth.
Virtually all organizations had attacks relating to viruses, worms and/or trojans and malware over the four-week benchmark period. Sixty-four percent experienced web-based attacks and 62 percent experienced phishing and social engineering attacks. A simple majority of companies also experienced malicious code and botnets (both 59 percent) as well as denial of service attacks (51 percent).
Malicious insiders gain the most press attention because it’s the juiciest story – but if you put all of your eggs in preventing employees from becoming hackers, other types of cyber attacks may fall through the cracks and cause even worse havoc than a malicious insider could.
For example, there was a very interesting profile in the Wall Street Journal of a man who founded a company to address underlying equipment supporting data-center networks – such as air conditioners, thermostats, and backup generators – vulnerable to a cyber attack that could take down data centers. These “industrial control systems” are updated once every decade or so and usually lack basic security features we take for granted like password protection. You wouldn’t think that these systems are actually connected to the computer networks they’re supposed to keep on or keep cool, but they are connected. They are a prime target for cyber attack. Security consultancy WhiteScope found that there are nearly 20,000 such systems – including some inside schools, hospitals, and retailers – accessible through the Internet, no username or password required. This isn’t a doom and gloom statement – there have been real consequences. In late 2014, the U.S. Department of Homeland Security reported an ongoing malware campaign that compromised numerous industrial control systems from several manufacturers.
Another example can be found in the very applications created or revised every day in businesses around the world. Many contain vulnerabilities leaving them open to attack. The vulnerabilities aren’t intricate, though. They are just standard bugs and viruses. In fact, the first four security risks cited in the Open Web Application Security Project (OWASP) Top 10 List have been unchanged in the last several years the survey was conducted.
How can this happen? Blame varies depending with whom you speak. Some blame developers, saying they don’t have the training or incentive to write secure code. Others blame security teams for not testing applications properly. The moral of the story is that building security in takes a commitment throughout your organization, and understanding the reality that a simple glitch in code can cause a massive data breach.
Security must be built into your organization’s culture, and it must permeate every part of your company. You have to break through the misconceptions that cybersecurity saps productivity and costs too much. There are software tools available that will help you develop secure applications and increase productivity by as much as 15 percent, for example. Keeping cybersecurity in the forefront of your employees’ minds requires a constant re-education project and a holistic approach.
Make sure that you have all your bases covered. Visit our website to learn more about how we can encrypt your sensitive data and place it in a secure cloud with only one way in and one way out. Our vault keeps people, viruses, and malware out – and if any should enter uninvited, it acts like a prison to mitigate the fallout of a cyber attack.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.