Every year, Shreddit publish a State of the Industry Report to try and help businesses understand the emerging cyber-security threats that threaten modern-day businesses. This year, some of the major new challenges include the introduction of the GDPR, the continued lack of training provided to employees, the work-from-home trend and the rise in customer concern with the security of their own data.
The State of Cyber Security in the US
The report found that, unsurprisingly, the biggest cyber-security threat to US businesses comes from their own employees. The majority of organizations surveyed, from enterprise level to small businesses, identified employee negligence as the biggest threat. Interestingly, 96% of American consumers also felt that employee negligence was a significant contributor to data breaches.
Organizations in the US have a right to be concerned, as over 69% of reported breaches involved the accidental or malicious misuse of data by insiders. It’s something we’ve been harping on about for years, insider threats, and they don’t appear to be going away any time soon.
So, in what ways do your own employees threaten the security of your data?
A New Way of Working
Remote working has increased in popularity vastly over the last few years, and it brings with it a unique set of security challenges. It has never been easier to stay connected to your organization’s network from home, any many are now choosing that method as a more permanent way of working. In fact, the majority of organizations surveyed said that they offer flexible work models to their employees. The reasons why are simple. Allowing employees to work from home means organization’s have access to a wider pool of talent geographically, and often leads to increased productivity.
So, what’s the danger of the work-from-home model? Unfortunately, most organizations have not adapted to this trend and still rely on a policy of trust when it comes to protecting sensitive data remotely. Inevitably, trust doesn’t pay off and employees will misplace important laptops or smartphones, or visit unsafe sites that could potentially lead to malware attacks, such as ransomware. Furthermore, the vast majority of employees can’t even recognize what sensitive data looks like, let alone know what steps to take to ensure it is secure.
Another chance in many office spaces is a move towards more open-plan offices as a way of increasing collaboration. Logistically this increases the likelihood of a rogue employee being able to access sensitive data, as there are less physical barriers for him/her to break through. Organizations need to ensure that, if they are adopting this method of working, they keep all passwords, and physical copies of sensitive information behind locked doors.
The Verizon 2018 Insider Threat Report states that 56% of security experts viewed weak/reused passwords as the biggest enabler of accidental insider threats. Companies will need to enforce a strong password policy. Check this article for password policy best practices.
As a safeguard against password cracking, companies should utilize a “threshold alerting” solution which can automatically detect, alert and respond to anomalous logon failure in Active Directory. For example, if X number of failed logon attempts occur over Y period of time, a custom script can be executed which can either stop a specific process, change the firewall settings, disable a user account, or shut down the server.
Data Laws Catch Up with Globalization
In a world where you can speak to someone half-way across the world with the click of a button, the old data protection legislation was beginning to sound a bit archaic. The EU led the way to a better data protection legislation for EU citizens with the General Data Protection Regulation (GDPR). This regulation essentially states that any country, wherever they are located in the world, that stores the personally identifiable information (PII) of EU citizens must act responsibly when handling, storing or processing said data.
Despite it being well reported and documented on in Europe, the report found that a staggeringly small percentage of US organizations were familiar with the new laws. This is worrying. With so many organizations operating on a global scale, they must begin to think about being part of this new global security-conscious environment.
There are a number of specific things that the GDPR has brought to the forefront of data security, and we have written many articles on the topic, so I won’t repeat them here. If you need more information on how GDPR affects US businesses, click here.
Why Are Companies Still Failing?
Two of the main reasons why companies are failing to detect and prevent employee negligence is due to a) a lack of budget, and b) a lack of suitable monitoring technology. However, these days there are a number of affordable IT security and user activity monitoring solutions on the market. LepideAuditor, for example, which can detect, alert and respond to suspicious behaviour and changes, as well as help to enforce “least privilege” account access.
It’s not enough to say that you can’t afford a solution, or that nothing suits your environment. There is also no excuse for not having regular training sessions for your staff to educate them how to avoid cyber-security threats. Take action, now!