It is hard to get away from the presence and scale of the cyber security threat. The media is full of stories of companies who have been hit by a data breach. UK government figures from the Information Security Breaches Survey 2015 indicate that the average cost of the most severe online security breaches range from £1.5 to £3.1 million for big business and from £75,000 to £311,000 for SMEs. According to the survey, 90% of large organisations and 74% of SMEs reported an information security breach during the year.
The scale of the threat is vast and growing and the nature of the threat is also changing. As the profits from cyber crime have grown, so it has attracted the attention of more organised groups with more human resources available to them, including governments, organised crime and even terrorist organisations. And as the technology response to the cyber threat has become more sophisticated, cyber criminals have found new ways past corporate perimeter security.
The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals has combined to produce a new point of attack. This is focused on the weakest link in the corporate security chain, human beings rather than technology. The UK data confirms this, pointing to 75% of large businesses and 30% of small business who have suffered staff-related data breaches in the last year.
This used to be known as the “insider threat”, but that inadequate terminology suggests complicity by employees in cyber crime, which is usually not the case. A more appropriate new term is “social engineering”, which has been described as an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
“Spear phishing” targets known companies and individuals and first builds up a picture of them from open sources, before seeking to extract information about their passwords in order to access a corporate data network. “Pretexting” involves a sophisticated scenario invented to trick a targeted individual into disclosing confidential security data, often in the form of a phone call. “Baiting” is a less complicated trick that relies on a USB stick or floppy disk loaded with malware, which is left in a smoking area, elevator, bathroom or even parking lot. Sooner or later someone will pick it up and insert it into their disk drive.
Practising good security can help to mitigate, if not eliminate, the threat. This includes training your employees and creating awareness amongst them about the social engineering threat, ensuring that you have a BYOD policy which guards against employees introducing viruses to your network through their own mobile devices and having a robust password policy which requires password changes at regular intervals.
Unfortunately, these simple steps are not enough on their own to guard completely against the social engineering threat. If rogue employees have been inserted inside your company, or existing employees have become disgruntled, then they will be on the inside of all of your security perimeters, no matter how robust they are.
That is when you need the additional assurance that a cyber security system monitoring solution can provide. These plugin devices monitor your network for signs of suspicious insider activity and failed attempts to hack into the system, via multiple incorrect passwords and the like. These solutions can provide invaluable intelligence that can be acted upon proactively to nip a successful hack or insider threat in the bud.
The scale and nature of the cyber threat can feel overwhelming. But a few simple precautions and the use of a system monitoring device can go a long way towards mitigating the social engineering threat and significantly enhancing your corporate cyber resilience.
Chairman – Crises Control
This blog first appeared on the Business Continuity Institute website www.thebci.org.