Insider Threat of Cyber Security

Insider Threat

An enormous amount of money is spent annually by companies to protect their IT Systems from Cyber Security threats.  We are too reliant and trusting on systems to protect us.  There is one significant threat that is often overlooked, and not often suspected; ourselves.

Better Cyber Security Through User Training

Things never go wrong at the moment you expect them to. When you're completely relaxed, oblivious to any potential dangers, that's when bad things happen.

- C.K. Kelly Martin

The Full Scoop

A 17-year-old was arrested this past week for his potential involvement in a hack of Twitter accounts for some of the worlds most high profile personalities.  It is incredible to think that a teen could orchestrate such a sophisticated attack on a major technology company; and very sad, he was likely quite talented if only that energy had be directed differently.

The attack according to Twitter, targeted employees through the use of phone spear-phishing.  Spear-phishing is where a bad actor specifically targets an individual or company, and through means such as well written and believable emails or social engineering over the phone; tricks someone into doing what they want.   It relies and takes advantage of our natural desire as human beings to be helpful; in our resolve to complete a request or address a concern of an executive, fellow employee or client.

Too often we become comfortable in our daily habits.  Emails come in, we read them, click links, open attachments - but only of course from sources we know, right?  We're so focused on doing our day to day jobs, answering calls, helping clients, responding to a request from our boss - that we forget there are some out there who are looking to take advantage of our efficiency and sincere desire to help.

IT Systems are becoming more secure, vendors are spending more and more time on hardening their platforms.  It is estimated that Microsoft spends one billion dollars annually on Cyber Security.  All of this Cyber Security though can quickly become useless against an employee on the inside of your organization, through well meaning; with access to critical systems and data, who is beguiled into giving away information or completing the request of a malicious actor.

As humans we fall into the trap of assuming the past will predict the future.  We often suffer from the "it won't happen to me" syndrome, referred to as Optimism Bias.  We assume our employees know what to look out for or that our organizations aren't really a threat to being hacked.  I was speaking to the CEO of a mid-sized organization some years ago, who genuinely believed they were not a threat to attacks, often stating "who would bother to attack us".  Our own theories and experiences can hinder our progress.

IT Cyber Security Training is important and a great reminder on the basics for how to protect your critical data.  A large percentage of data breaches begin with Spear Phishing attacks.  There are tools you can use as an organization to test your employees.  Running your own Phishing tests on your end users will help you know who is really watching and being careful on what they click on and reply to throughout the week.

IT Training will remind your employees to be careful what email attachments they open, to be more cautious when clicking on links, or if they are not sure - to manually navigate to websites instead, to make sure they're going to the right place.  Do not give out passwords and avoid using shared accounts.  When an employee leaves, be sure to review their system access and consider changing passwords or terminating accounts.  When it comes to financials and especially wire transfers and vendor payments, establish "four eyes" controls that rely on two sets of eyes to complete a transaction.  Be suspicious of urgent requests for system access or wire transfers, where your colleague or boss says they are not available for a discussion on the matter.

Reviewing good principles of IT Security and Support with your broader user base, will protect you from potentially damaging situations and experiences.  Remember that most breaches do not come from the outside, they come from within.  Rely on training and a culture of strong Cyber Security to protect your organization, in additional to the modern recommendations and controls being implemented by your IT Provider.  Good internal security will lead to excellent corporate security, build security and awareness into the culture of your company; you will be glad you did.

Related Post

Award Winning Managed Services Provider
Share Now