Vlad de Ramos, a 22 year veteran at IT Management and IT Security, guest blog writer today, giving us some practical advice on IT Security Vulnerabilities. What a timely piece of writing. So many industries are facing security issues today both external and internal. Vlad will cover how to take steps to guard your business from all fronts. Please help me welcome Vlad to TheDigitalAgeBlog.
Data breach can happen to anyone and IT security failures are not only damaging and costly for businesses, but customers would suffer as well, and people lose their jobs too.
In a study conducted by Scott & Scott, LLP, researchers found that 85 percent of businesses suffered a breach in their data security. Despite the prevalence, about 46 percent did not employ encryption solutions following the IT security failure. About 74 percent of the companies surveyed report losing customers, while others faced potential lawsuits (59 percent) and fines (33 percent).
It’s not enough that you guard your business against outside threats. There are many dangers inside the organization that should be managed before they can cost your leadership team their jobs and the business its integrity.
Companies who take IT security seriously should guard their business against all fronts. Unfortunately, many companies admit that they are still lacking in terms of securing safety from the inside. And one of the reasons many organizations fail to set up effective safeguards is because they are in denial about the magnitude of IT security threats stemming from an inside job.
Here are some of the reasons your employees can contribute to IT security failures.
Inside Insider Jobs
There are a variety of reasons a company’s very own employees can take part in inside jobs such as financial gain, desire for power and recognition, revenge on a co-worker or boss, and response to blackmail from inside and outside the organization.
Some employees are lured into inside jobs due to their loyalty to some people in the organization or to colleagues who recently left on not-so-good terms, while others do it for personal and political beliefs.
There are also insider jobs that are linked to activist groups and organized crimes. In a 2012 report by Carnegie Mellon University’s CERT (computer emergency readiness team) Insider Threat Center, researchers found that out of 150 cases of IT security failures analyzed, about 16 percent were linked to organized crime.
According to a psychologist, Monica Whitty, from the University of Leicester, employees who “willingly” assist in IT security attacks may be suffering from one or more of the following conditions: narcissism, psychopathy, and Machiavellianism, which is defined as the “the employment of cunning and duplicity in statecraft or in general conduct”.
In a 2013 study by Centre for the Protection of National Infrastructure (CPNI), findings showed that people who engage in insider attacks might have two or more of the following qualities: low self-esteem, lack of ethics, immaturity, tendency to fantasize, impulsiveness, lack of conscientiousness, instability, and manipulativeness.
Regarding work behaviors, the CPNI study found that insiders often engage in unusual copying jobs such creating copies of sensitive materials beyond what is necessary and removing protective markings on documents when creating their own copies. Insiders also often engage in usual IT activities such as searching for keywords in a company-sensitive database.
Management Vulnerabilities
Motivations and unusual behaviors are just one side of the story.
The lack of an effective IT security protocol opens up vulnerabilities within the organization that employees can use. Some of these include:
- Administrator and other privileged access that aren’t monitored.
- Unattended company devices such as USB’s and laptops.
- Hard drives that weren’t properly disposed.
But even with an advanced security practice, human error can still pose a threat. Most of the time these are innocent mistakes due to the lack of knowledge in IT security. These include improper file transfers, illegal uploads and downloads, as well as using personal devices in the workplace for business purposes.
In other cases they are intentional because of management issues. Disgruntled, burned out, and dissatisfied employees can turn to accomplices. The Verizon Data Breach Report 2016 have found that employees transferred data via USB before they left the company. Companies who have fraud detection were able to weed out the employees who provided information in weeks, but those who don’t identified them in months or years.
Secure Your Posts
Don’t just look for loopholes in the IT infrastructure. In ensuring the safety of your business and customers, you also have to analyze the status of the people within your organization. Ensure the security of all your posts by looking not just outside in but also inside out.
Please feel free to comment on Vlad’s post.
ABOUT THE AUTHOR:
Vlad de Ramos has been in the IT industry for more than 22 years, focusing on IT Management, Infrastructure Design and IT Security. He is a certified information security professional, a certified ethical hacker, a forensics investigator, and a certified information systems auditor. Vlad joins Homegrown.ph to help increase knowledge on IT security awareness in the Philippines. Outside the IT field, he is a professional business and life coach, a teacher, and a change manager.