Information Security Risks and the Human Factor
By David Glickman
CEO and Principal
As we pursue data security for our organizations and in our personal lives, change always equates to risk. The rapidly changing technology landscape in the world of integrated absence management (IAM) and the growing number of systems we use on a daily basis have expanded the risk for all of us. We have always had to be vigilant, but this level of change and the increasing sophistication of cyber criminals over the past few years requires us to rethink the way we approach security.
As organizations get better at protecting servers and other devices, criminals are increasingly targeting applications and people. So in addition to the efforts of your information technology (IT) team, you are your company’s other defense against cyber criminals. Your profession requires you to process information more quickly than ever, yet your organization also needs you to think twice before responding to emails, which are the primary avenue that cyber criminals use to attack your organization through you.
Malicious software, usually referred to as “malware,” is designed to disrupt or deny access, gain unauthorized access, or steal information. In the old days, malware mostly consisted of pop-ups trying to sell you something. These were annoying and slowed down your computer, but they rarely caused major damage. Today’s threats are much more sophisticated and damaging.
The latest threat is a new type of malware called “ransomware,” which typically starts with an email that mimics a trusted source, such as your employer, your bank, or the government. When you click on a link or open an attachment, it runs a program that encrypts your files. You are then asked to transfer funds in order to get the encryption key to unlock your files. Once malware like this is on your computer, it can spread via your internal network to others in your organization. Sometimes malware even hijacks your email program and, posing as you, sends out a similar email to all your contacts.
Phishing may be the most commonly used approach of cyber criminals. Once again, this typically starts with an email that mimics a legitimate source asking you to click on a link in the email to log in online and take some action to avoid a penalty or a problem. If you click on the link and then enter your username and password to try to log into their sham website, you have given criminals your credentials to log into your legitimate site. Successful phishing attempts can lead to the most serious consequences for you and your organization because you are giving them your access to important functions. Some phishing attempts may even ask you to enter your credit card information.
Cost of Data Breaches
New regulations require organizations to report data breaches to those who might have been affected, which is one of the reasons we hear more and more about them in the news. A leading industry report1 documented 1,202 publicly disclosed breaches in the United States in 2017 through Nov. 29, including organizations such as Aetna, Anthem, Humana, Northwestern Mutual, New York Life Insurance, Metropolitan Life, Med-Cert Inc., Insperity, and Ceridian.
Although many of these organizations did not report the number of records affected or the cost, we know the costs can be enormous. According to a June 2017 study by IBM Security2 of 63 U.S. organizations that experienced a data breach, the average cost was $7.35 million, with an average cost per stolen record of $225. One of the biggest components of this cost is the loss of business as a result of reduced customer trust.
One of the largest known data breaches occurred in the summer of 2017 at Equifax, which exposed sensitive personal data — including Social Security numbers, birth dates, addresses, and driver’s license and credit card numbers — of 145 million American consumers. That is more than 50% of all U.S. adults! The size and public nature of this breach highlight again the importance of protecting your organization against malicious attacks. If one of the world’s largest credit reporting agencies can be hacked, what about your organization?
How Do I Protect Myself and My Organization?
Security breaches often result from errors on the part of an organization’s employees and partners. According to a study released by Intel in 2015,3 43% of data breaches were caused by such insiders, of which half were intentional and half accidental.
Cyber security firm Clearswift4 claims that while employees alone were responsible for 42% of cyber incidents, the “extended enterprise,” which includes customers, suppliers, and ex-employees, is responsible for 74% of such incidents, of which two-thirds are accidental.
Interestingly, most organizations do not perceive internal threats as being one of their biggest risks. They often point to the increasing use of the cloud, even though there is no indication that the current generation of cloud applications are more prone to compromise than on-premise applications.
Taking a few simple precautions can help protect you and your organization from these kinds of exploits:
- Don’t open attachments unless you know what they are. Remember that it is easy for criminals to pose as someone you know.
- Before clicking on a link in an email, hover over it to see where it is taking you. The URL link you see in blue in the email text is not necessarily the actual URL destination. Sometimes criminals even register a URL that is almost the same as the legitimate site, and if you don’t pay attention, you might not realize it. For example, if you are being directed to americanxpress.com (did you notice the missing “e”?) or americanexpress.xyx.com (only the last part of a URL is important), you would know that someone is trying to trick you.
- If you have already clicked through to the site, check that the beginning of the URL is in a green font in your browser: that means that you are on a secure and authenticated site. It is very easy for a criminal to make a page look exactly like the real site, but they usually won’t be able to get an Extended Validation (EV) website security certificate, which is required for the URL to be presented in green. If you’re still not sure whether you’re being contacted by a legitimate source, call them to check.
- Always be vigilant when you are asked to enter your username and password in response to a link in an email. If you’re not sure it is from a legitimate source, try entering an incorrect password first. If it is a phishing expedition, they’ll usually accept your incorrect password because they don’t know that it’s incorrect!
- Do not use the same password on all your devices, as this means that any single site that is compromised might give criminals access to all of your accounts. If you find it too complicated to remember all your passwords, use a password manager such as True Key or Identify Safe.
- When possible, enable multifactor authentication on sensitive sites such as your corporate network or your bank. The use of a second authentication method such as random challenge questions or entering a code sent to your phone makes it almost impossible for attackers to log in with stolen passwords.
- And, of course, always apply antivirus and software patches as soon as they are available, as they are your first line of defense.
The Information Security Forum predicts that regulatory changes will continue to impose new restrictions on the way data are collected, stored, transferred, and disposed of in light of growing demand for greater data protection. This will likely increase the penalties and visibility of data breaches and other security and privacy infractions going forward.
According to Gartner,5 worldwide spending on information security products and services will grow to $93 billion in 2018. But none of this IT spending will solve the human factor — that’s up to you!
- Identity Theft Resource Center. 2017 Data Breach Reports. Nov. 29, 2017. Retrieved from http://www.idtheftcenter.org/images/breach/2017Breaches/ITRCBreachStatsReport2017.pdf
- IBM. 2017 Ponemon Cost of Data Breach Study. Retrieved from https://www.ibm.com/security/data-breach/
- Intel/McAfee. Grand Theft Data Report. 2015. Retrieved from https://www.mcafee.com/us/resources/reports/restricted/rp-data-exfiltration.pdf
- Clearswift. Internal Threats: 3 Ways to Protect Your Organization Against the Insider Threat. Oct. 16, 2017. Retrieved from https://www.clearswift.com/taxonomy/term/31
- Gartner. Business Impact of Security Incidents and Evolving Regulations Driving Market Growth. Aug. 16, 2017. Retrieved from https://www.gartner.com/newsroom/id/3784965