Any organisation which has its operational technology systems connected to the internet is susceptible to a breach. Even more worrying is the fact that the threat of an internal fault - malicious or unintentional - is growing.
American multinational telecommunications conglomerate Verizon, in its 2018 Data Breach Investigation Report, pointed out that internal actors are have caused approximately 30 percent of corporate data breaches recorded in 2018. The news reports streaming in this year say the number of instances is increasing.
The fault can be anything, from serious negligence as using office network to watch porn or for pirated downloads, to simple missteps such as plugging in an unsecured USB or clicking an unverified email link. According to a Mimecast report email security, 61 percent of organisations researched were affected by malicious activity spread through email.
Business email compromise (BEC), is among the most common data breach tactics. The 2019 Payments Fraud and Control Survey by the Association of Financial Professionals said about 77 percent of companies contacted reported that they were victims of BEC schemes.
"The technical analysis (of an incident) would give you the ‘what’, not the ‘why’, and it is the ‘why’ that we need to address when it comes to insider threats," said Jenny Radcliffe, founder of the Human Factor Security, during a panel discussion at the Infosecurity Europe conference last week. "Why did they (employees) behave that way? Why were they personally vulnerable? Why was one able to coerce or bribe them?"
Technical miscommunication among the departments is another issue that worsens internal vulnerabilities, according to Robert Orr, principal CNI consultant at Context Information Security. "I think we need to patch the people, to start with," he said, speaking at another panel at last week's Infosecurity Europe.
Calling the employee disbelief in the likelihood of an internal risk as a cultural problem, Orr pointed out the fear employees have in exposing their ignorance of these risks in front of their colleagues. "A lot of people who never had exposure to cyber-security, including many engineers, don’t want to appear stupid before their colleagues. We tend not to ask dumb questions," he said.
Being comfortable in asking dumb questions to your engineering, security and IT people goes a long way in addressing internal human vulnerabilities, he said.
Things become complicated when malicious intent enters the scene. British networking company Deep-Secure found that it takes £1,000 to tempt an average employee to leak company data. The report, aptly titled The Price of Loyalty, said half of office employees in the UK it studied were willing to sell corporate information to a third party.
Owl Cyber Defense's product management director Scott Coleman, speaking at the conference, advocated a zero trust approach. However, he added that "trust but verify" is hard to practice. "The problem is when you take your eyes off it, you no longer have the trust factor."
The solution lies in building and maintaining quality interpersonal relationships, said Radcliffe. The company has to know and understand the people who work for them from a human perspective -- their wishes and their weaknesses -- and that is a complicated process, she said.