Cyber security is one of the BIGGEST concerns keeping many leaders awake at night. As I was reading around about the topic I came across the Harvard Business Review article The Danger From Within – it is a great read and highlights, obviously, the often overlooked and ever present cyber security risks within your own company. The article highlights how the 2013 cyber attack on Target was in fact made possible by the company’s refrigeration vendors! The article continues to explain that while external cyber security risks are of course ever present, corporates must also recognise and protect themselves from people that have direct access to your organisation.
Intriguing stuff, eh? The article is full of interesting statistics, following are my notes from the article:
By the way, the reason I am sharing my notes here is because the payables process is a PRIMARY focus area for cyber-attackers. After all it is within the payments process that sensitive payment (suppliers, account numbers, bank system user-id and password) information is held and employees (or potential targets) are making and sending payments to your banks.
Cyber Security Risks – Nah, not us!
Yep, many corporates are in denial. As result, many corporates do not have sufficient security and controls in place to manage the insider cyber security risks.
Cyber Security Risks – Who?
According to the article, the threat is “from people who exploit legitimate access to an organization’s cyberassets for unauthorized and malicious purposes or who unwittingly create vulnerabilities”.
That pretty much captures anybody and everybody that is able to access your company, both physically and remotely.
Cyber Security Risks – How?
Alright, this is pretty interesting. The Danger from Within goes into quite a bit of detail, but in short:
- IT – As your IT grows in size (often globally connected systems) and complexity (for example cloud based, data centres in exotic parts of the world, outsourced systems and databases) – so too does your risk – the message here, is how secure are all of these external parties??!?!
- Marketplace – The “Dark Web” enables people to buy and sell your company’s sensitive data (username/password/account number/etc…) creating a cyber security market – is there someone in your company that has access to this data, who maybe willing to sell this information on the “Dark Web”….?
- Electronic devices – Are being used across purposes. You may use your ‘personal laptop’ to do a bit of work, or your ‘work laptop’ to do a bit of casual surfing. Out there are cyber threats ready to pounce on any vulnerabilities and exploit the weaknesses. A frequently highlighted example is of USB devices and phone chargers infected with malware are easy ways to lure a unsuspecting employee within your organisation
- Social Media – As a way to identify and find “appropriate” targets within an organisation and exploiting them through a scam, threat or blackmail (cyberblackmail) to reveal or gain access to restricted information
Cyber Security Risks – Why?
There are a whole range of reasons why someone is driven to launching a cyber attack, including: Money, Revenge, Recognition, Authority, Blackmail, Alienation, Beliefs – political, religious, sexual. The article suggests evidence that perpetrators may have some kind of personality or psychotic condition, and recommend asking questions during the recruitment process to identify personality instabilities. Which leads us to….
How to identify Cyber Security Risks
The Danger from Within identifies 5 steps to takes:
- Create a policy that outlines cyber security do’s and don’ts – which must be shared and enforced
- Inform people about the risks, give examples, and test them!
- Hire new recruits carefully and cautiously
- Verify contractors and sub-contractors – while you may have the highest levels of security at your firm, have your contractors? Wherever they are located, they need to be vetted
- Big brother – keep an eye on your employees
Cyber Security – The weakest link
Often corporates are so focused on the external threat, they forget some of the internal risks pose just as much danger – arguably with direct access to your infrastructure they can unleash greater damage in a much short time frame. But there is a balance to be had here. One is recognition of the cyber security threat. On the other hand there is a need to strike a balance whereby the security and integrity of your workplace is maintained, but so too is the freedom and integrity of the people that work within your organisation.