An overlooked cybersecurity threat: insider attacks
Insider cybersecurity incidents, in which individuals take advantage of authorized access to a company’s systems, have always been costly. Over the years, a series of high-profile companies have fallen victim to insider attacks. Target lost US $300 million after cyber criminals accessed 40 million payment card numbers and 70 million personal data accounts via a refrigeration vendor. The New York Post scrambled to undo the damage done to its reputation after one of its employees posted a series of unapproved messages to its social accounts. Marriott paid £18.4 million after an insider threat exposed private customer data and violated GDPR guidelines.
Insider threats rising in 2022
By some accounts, these insider threats are at a recent high. According to Kroll, a risk and financial advisory service that publishes intermittent security reports, the rate of insider threats rose from 24 to 35 per cent of unauthorized threat incidents between Q2 and Q3. Kroll’s analysts hypothesized that remote work and rapid job switching increased insider threats. (Recently laid-off or remote employees may be more likely to copy data, delete files, and work with bad actors.) But insider threats also originate from third-party vendors, agencies, and data storage partners: anyone authorized to access company data may be a threat vector.
Join Oxford’s Cyber Security Programme today
Develop a network of professionals pursuing cyber as a culture in Oxford’s Cyber Security Programme, powered by Esme Learning. Don’t miss out—registration closes on January 25th, 2023.
The gaps in conventional cybersecurity measures
Even more sophisticated conventional cybersecurity measures leave businesses open to insider attacks. When employees have legitimate access to systems, barriers are less effective. Insiders use access codes to bypass virus checkers, malware detectors, and firewalls, scan Post-It notes where employees list their strongest passwords, and hijack corporate accounts to download valuable assets and private customer information. To control what Professor Sadie Creese calls “the doors that leave organizations vulnerable to insider attacks”, business leaders adopt more comprehensive security cultures.
Four steps to foster cyber as a culture
To address insider threats, Professor Sadie Creese, who researches security architectures and threat detection, prompts leaders to move beyond conventional, isolated tactics. As Creese and her colleague explain in Harvard Business Review, cyber-first leaders equip all employees, not just IT departments, with comprehensive cybersecurity skill sets, tools, and mindsets. Embed cybersecurity into your company culture with a few key steps.
- Treat cybersecurity as a core skill. Whether employees are executives, associates, or summer interns, give everyone access to a set of clear, comprehensive, and actionable cybersecurity guidelines. Can’t spend time developing an internal training course? Find one offered by Coursera or an industry standards organization that gives employees the tools to stay safe and monitor the workplace.
- Monitor contractors. When hiring agencies, ask about their cybersecurity practices, hiring and training guidelines, and cyber response plans. As an add-on, evaluate what types of permissions their contractors have within your systems and whether they receive full or partial access.
- Test new hires’ cybersecurity chops. As part of the interviewing process, add questions about password security, phishing, and practices around sharing and working with private customer data. Consider upskilling underprepared employees before their start date so your workforce is uniformly prepared to fight attacks.
- Weave cyber practices into conversation. Talk openly about suspicious phishing attempts, describe how you handle events to colleagues, and support more junior employees as they navigate cybersecurity issues. When cybersecurity is discussed throughout an organization, not just the IT department, best practices are easier to remember and harder to forget.
Craft a cyber secure culture
Want to craft a culture that champions cybersecurity? Esme Learning designs and develops executive education programmes in partnership with leading universities and corporations worldwide. Browse our complete list of programmes in artificial intelligence, blockchain, cybersecurity, digital disruption, and digital finance at Esme Learning.
About Esme Learning
Esme Learning delivers career-transforming online executive education in partnership with leading universities. We’re reinventing remote learning, using AI-enabled tools and years of peer-reviewed cognitive and neuroscience research to deliver an immersive and collaborative learning experience.
