Cyber Loss: Not Just a Hacker Thing
Written by David Holcomb, PhD
When you are trying to secure your environment, you need to understand how cyber events occur. Cyber events can take the form of inadvertent exposures, malicious attacks, and through system glitches. These cyber events can originate from internal actors and external actors.
Let’s explore these cyber event sources and discuss some opportunities to secure for each.
An inadvertent exposure occurs when the actor did not have malicious intent but inadvertently exposed data or access. This situation is happening more often when we consider pictures being taken in the workplace, the volumes of emails sent containing sensitive information, and the mobile nature of employees. Several measures such as security awareness training, end-point data loss prevention (DLP) tools, and safeguard messages for email users attaching files. Remember: a good approach for your internal team is train, test, and monitor. When possible, put restrictions and verifications for files moving outside your organization.
No company operates completely self-contained. We all need services such as office supplies, cell phones, websites, etc. The more complex your organization, the more vendors you have. These vendors often have your customer list, price lists, and even your banking information. If your internal employees can inadvertently expose data, certainly a vendor can. Supply chain risk for data exposure is an important consideration when you write your next vendor contract. Use that contract to set guidelines and inspection of their process. Also consider putting risk transference language into those contract in the event of an exposure.
The horror stories of the database administrator who dupes the scans and exposes data for hire are unfortunately rampant, although it is not only instance of internal actors with malicious intent that companies face. Intellectual property (IP) theft perpetrated by employees taking diagrams, files, and other corporate IP to their home and sharing it has become increasingly devastating to companies. Another example comes from employees printing or email customer lists including contact information and purchase data to competitors. Disgruntled employees have contributed to a rise in losses.
I know what you are thinking: “There’s the hacker.” You would be correct! You should know, however, that former employees are the major external culprit that leads to a cyber loss. Ex-employees know your processes and where the gold is located. Their login IDs may still be active, or the word may not have gotten around they are “ex-employees” and they can easily acquire information.
Certainly, the unknown hackers are a problem. Nation-state hacking has been a rising concern in recent years. You must be perimeter secure, ensure employees know how to deal with social engineering, remove access for former employees and consultants, and constantly monitor the traffic. The key to external actors are they are looking for keys: the unknown hacker has little idea but the ex-employee knows.
If you have software development in your organization, you have system glitches. These glitches are usually caused by a lack of testing, controls, and governance, or by an individual bypassing testing protocols, change controls, and governance. Consider a well-intentioned employee who thinks, “These controls are silly; I know my code is good,” and then bypasses change control. The code has a glitch and the employee just as quickly “fixes” the code. Imagine a disgruntled employee with those same rights. These types of situations are more common than we acknowledge. Having good controls that are supported by technology and management is vital for preventing losses due to disgruntled or well-intentioned employees.
Vendor issues have the potential to escalate into large-scale cyber events, as we all witnessed in the infamous example of SolarWinds. The products used in each environment or purchases as a service can fall victim to the well-intentioned associate and the disgruntled associated from the vendor’s environment. These situations are hard to manage but the contract language is key. Ensure the proper controls and governance are in place. Test vigorously to ensure accuracy. Finally, make sure you have risk transference language included in the contract in case of an event.
Many strategies, tools, and techniques exist. Good governance, up-to-date software, solid perimeter, and organizational awareness are essential for minimizing loss and maintaining solid performance.
Contact us if you would like to learn more about how to improve your cyber risk posture.