The majority of cybersecurity efforts are focused on preventing outside penetration of company systems; however, there are a number of viable and previously successful attacks that have originated from within corporate firewalls.
One employee of a financial services company managed to steal data related to 350,000 customers -- roughly 10 percent of the firm's wealth management clients -- and post this information on an external website, potentially to sell to nefarious parties.
And these security threats are becoming more common. Per the IBM 2016 Cyber Security Intelligence Index, 60 percent of cyberattacks from the previous year were performed by company insiders. With 44.5 percent of attacks being performed by malicious employees and 15.5 percent by "inadvertent actors."
Are you doing enough to protect your network from external threats as well? Read: Best Practices for Protecting Customer Data from Cyberattacks
In 2015, security firm Proofpoint reported that criminals and hackers now rely on social engineering techniques as their primary exploit for bypassing cybersecurity. These attacks -- phishing, pretexting, baiting -- rely on the gullibility of your employees to perform the intrusion rather than an external assualt.
By taking advantage of employee ignorance, these outside parties can either convince your staff to provide them with usernames and passwords to bypass your existing security measures or have the unknowing staff member load malicious code directly to your systems on their behalf.
According to research performed by Verizon, 63 percent of data breaches involved using weak, default, or stolen passwords. And in 2014, the most common stolen password was "123456," with "password" winning second place. When left to their own devices, your employees will rarely place much thought into your company's cybersecurity efforts, particularly in password selection.
Similarly, a 2014 study found that while 58 percent of employees store confidential information on mobile devices, 30 percent frequently leave these devices unattended in their vehicles for extended periods. Equally concerning, 34 percent of smartphone users in the United States do not lock or password protect the information contained on their phone, giving scammers and criminals ample opportunity to bypass your security protocols.
Of the data breaches tracked in the previously mentioned Verizon study, 16.3 percent were due to insider and privilege misuse with 70 percent of these breaches requiring months if not years to discover. These attacks were predominately (34 percent) motivated by financial gain; however, 25 percent were linked to corporate espionage -- particularly the theft of intellectual property.
There are a number of useful tools available that can help reduce the risk posed by internal vulnerabilities. Deploy email filtering software that can identify and prevent phishing attacks. Establish password policies that require frequent updates and set reasonable strength levels.
If you have a bring your own device (BYOD) program, extend these password requirements to employee-owned devices used to access company information. Consider requiring that BYOD devices incorporate data encryption or support remote wipe capabilities.
If possible, employ data analytics and networking monitoring tools that will proactively track behavior within your network and alert staff of potential threats or abnormalities.
Make it clear to your employees the role that they individually play in the organization's cybersecurity. Provide all of your staff -- including C-level executives -- with comprehensive security awareness training, placing special focus on social engineering attacks. Notify employees of trending threats and offer regular refresher courses.
Work with your internal IT services staff or outside consultants to regularly test your existing cybersecurity. Identify key systems and confidential data that would be most useful to criminals and scammers and target testing efforts on accessing or breaching those systems.
Protecting your business against external cyberthreats should definitely be a priority, but you are doing your company a disservice if you do not take equal steps to protect from internal risks as well. And one of the key elements to reducing the likelihood that an internal-based attack will succeed is a well-educated and knowledgeable workforce.
To learn more about our security awareness courses, you can fill out the form on the right to request a demo.
We're sorry this resource is no longer available, we've redirected you to our Resource center.