The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.
While disclosing a massive data breach, Uber’s CEO Dara Khosrowshahi said, “None of this should have happened, and I will not make excuses for it.”
It is difficult to make excuses when the problem starts from within. In Uber’s case, two security officials in the company were held responsible for hackers gaining access personal data of 57 million Uber accounts of customers and drivers. This breach also cost the ride-hailing company USD 148 million in costs to settle legal action over the cyber-attack.
A McKinsey study of publicly reported breaches between 2012 and 2017 found that half of them had an insider involved in some respect. Apart from the rare instances of malicious intent, just the prevalence of employee errors and accidental disclosures have become an unpredictable risk over the past few years. The liability is not just limited to money for most companies as data theft implicates the company in many other ways, revealing security gaps and managerial negligence which further tarnishes their reputation affecting business revenue and share prices, and can even mandate major changes in the company management.
It is no wonder then that when asked how important the human factor is in cybersecurity the CIO of the City of Palo Alto, Jonathan Reichental, said, “My information security manager reminds me often that humans are the weakest link in the information supply chain.” Echoing this idea, the co-founder and CTO of Quick Heal Technologies, Sanjay Katkar says, “Negligent employees, accidental mistakes and malicious insiders can all be detrimental to the effectiveness of cybersecurity investments. Also inability of IT Security team to manage digital risk can significantly impact.”
These looming concerns have compounded the responsibilities on the IT leadership, compelling them to pro-actively ensure information security. This although has yet to be implemented across organizations. Experian says that only 49% of businesses carry out security audit questions, 36% of them regularly conduct penetration server testing and only 33% carry out site visits.
A positive step toward safeguarding customer and employee data is the establishment of the General Data Protection Regulation (GDPR) in May 2018, which mandates limiting access to data to only those employees who genuinely need it to perform their jobs effectively. Organizations implementing GDPR are already showing a decrease of 4% and 5% in insider threat in the UK and Germany, respectively, as per Clearswift’s Insider Threat Index 2018 research.
Along with GDPR, securing personal data necessitates that IT teams also ensure that employees are aware about the threat of social engineering techniques such as spear phishing, friendly hacking, and sharing information, that can pose grave risks. Until now, only 20% of organizations in the UK actively conduct internal and external cybersecurity training sessions for the staff, says a Cyber Security Breaches Survey 2018 by UK’s Department of Digital, Culture, Media and Sport.
Apart from the corporate cultural changes, cyber teams can use technology to identify high risk users and predict likely threats. Addressing the insider threat before they occur is the only way to ensure that humans become a strong pillar to cybersecurity rather than a vulnerability.