If you haven't started to take security seriously after all the recent headlines in the news, you may be looking for a new job soon. It seems like every day there are new stories about how cyber-attackers are infiltrating organizations — and that's not counting the attacks that never make it into the news.
But how are cyber-attackers doing it? And why? You would be surprised. David Upton and Sadie Creese researched why these cyber-attackers attack and key ways to reduce an enterprise's vulnerability. They shared their findings in the Harvard Business Review article, "The Danger from Within," which is available for free download below. In summary, here's what they found:
Why are they doing it?
- Financial gain
- Revenge
- Desire for recognition and power
What are the causes of growth in cyber-attacks?
- The dramatic increase in the size and complexity of IT: Do you know who is managing your cloud-based services and with whom you cohabit in those servers and how safe those servers are? A vendor checklist of questions to ask isn't a bad idea.
- Employees who use personal devices for work: "The best way to get into an unprepared company is to sprinkle infected USB sticks with the company's logo around the parking lot."
- The explosion of social media: Cyber-attackers can easily target employees based on their profiles on LinkedIn, Facebook, etc., and they often do.
What can you do about it?
- Adopt a robust insider policy: There is a link to a framework provided by the State of Illinois that could be used as a great place to start.
- Raise Awareness: This is everybody's issue, not just IT anymore.
- Look out for threats when hiring: That background check? Yes, it is necessary.
- Employ rigorous subcontracting processes: Did you know the attackers in the Target breach gained entry to their systems by using the credentials of an insider — one of the company's refrigeration vendors?
- Monitor employees: Make it clear and transparent that you will be observing their cyber-activity to the extent of the law.
Overall, fix the weak points and make everyone responsible and aware that it is their job to protect the company's assets. All of them.