The Biggest Security Threat to Your Business is on Your Payroll

Jun 29, 2021 at 11:54 am by pj


 Revealed: The real cost of insider attacks – and your strategy to prevent them

 

By BRIAN AWSUMB

 Someone working for you right now is also working alongside some of the world’s most successful cyber criminals. A double agent.

And before long, they’re going to take down your business from the inside. They’ll put your sensitive business data in the hands of your number one enemy.

Where does this leave your business?

Potentially held to ransom to regain control of your data. Perhaps losing all your data for good.

And having to explain to your clients that their personal information has been stolen…

 

It sounds like the plot from a movie, doesn’t it?

While it could make a great edge-of-your-seat thriller, sadly, this is a very real threat to you and your business. And it can happen for two key reasons.

 

REASON ONE: The most common reason is that an employee of yours is an accidental double agent.

Their lack of cyber security training means they don’t notice the warning signs of a phishing email, dangerous attachment, or spoofed web page. That training gap leads your employee to click on a bad link, which leaves you open to attack.

This is what we call insider negligence.

 

REASON TWO: Imposter theft. This is what we call it when someone has access to your credentials and uses them to access your business’s sensitive data.

Credential theft can be the costliest form of attack to recover from.

In fact, the cost of an imposter theft can average $871,000 or more. That’s almost three times the cost of insider negligence, at $307,000, and even more than a malicious insider attack, at $756,000.

These figures are PER INCIDENT. The expense to defend and recover quickly racks up thanks to monitoring and surveillance, investigation, escalation, incident response, containment, post- attack analysis and remediation.

 

Just think about what an attack like this would mean for your business.

 

As loyal as your team is, and as much as you think they know about cyber security, as business owners, we simply can’t afford to think like this. Because the threat of an insider attack is very real, and incidents are rising year after year.

IBM recently carried out a study of 204 organizations in the United States. Over 12 months, this small group of organizations saw 4,716 insider attacks.

 

  • 63 percent of these attacks were due to insider negligence.
  • 23 percent were down to malicious insiders.
  • 14 percent related to credential theft.

 

Businesses with fewer than 500 employees spent on average $7.68 million dealing with the consequences of insider attacks.

So, what can we, as business owners, do to prevent and minimize this kind of attack?

Our recommendation would be to create an insider threat strategy. Follow it to the letter and you could instantly minimize the risk to your business. 

There are three key areas that must be in your strategy, but just remember every business is unique. To create a bespoke strategy, consult with a trusted IT support partner (hey, we can help with this).

 

 

Key area 1: Ongoing education

Training your team is at the core of avoiding negligent insider attacks.

It’s absolutely essential that everyone does the training, from the most junior member of staff right up to your CEO. This demonstrates to everyone that senior management is taking their responsibilities seriously.

But also, we find that senior management are most likely to make technical mistakes. Sorry, but it’s true! And because they have access to the most data, they are more likely to be targeted by hackers.

Cyber security training isn’t a one-off thing. Cyber attacks are becoming increasingly sophisticated. Criminals will take advantage of any situation; be it the global pandemic, a change in legislation, or simply a new tax year.

They will tailor their attempts to fool you and your team in any way that they can, and you all need to be aware of the red flags to look out for.

 

Key area 2: Tailored, multi-layered security

Of course, you need security software. You’re being trusted with the private data of your clients and employees.

Realistically, off the rack security isn’t going to cut it. You need security that’s tailored to your business, the apps and software you use, and the way you use them.

And this will be different for every single business. Following the recommendations of an IT expert is essential to give your data the protection it really needs.

We would highly suggest you research multi-layered security, too. Different software that works together to create a higher level of security is the best way to keep your data as safe as possible. Implement multi-factor authentication across your apps, where you generate a login code on a separate device. And consider using biometrics across your devices, such as fingerprint scanners.

Consider the risk that lost or stolen devices pose to your business too, and the ways that encryption and wiping data remotely will benefit you.

 

Key area 3: Restrict access

Do you know who has access to which files within your business? Can everyone access everything, or are your files accessible only by those who really need them?

According to a 2019 global data risk report, 53 percent of employers found to their horror that more than 1,000 sensitive files were accessible by every employee in their business.

The more people that have access to a file, the more likely it is the file will be breached.

Restrict file access to those who need it. Make sure files are always encrypted. And consider password protection for the most sensitive files.

Don’t forget the external partners who may have access to your data.

 

Brian Awsumb is the founder of AwsumbTech, a local, veteran-owned managed service provider specializing in small and medium-sized businesses, taking a proactive approach to IT, meaning that all assets on your network are monitored and maintained 24/7 to catch issues before they impact business operations. Visit https://awsumbtech.com or email info@awsumbtech.com