The People Factor in Cyber Breach
By Peter Schablik and Scott M. Higgins
Recently leaked “Panama Papers” have shaken politics across the world. This has resulted in a change of the Prime Minister of Iceland, while exposing other top officials like the British Prime Minister and President of Russia.
This unprecedented leak of financial and attorney-client information, spans four decades from the law firm Mossack Fonseca and reveals that sensitive information belonging to any company is vulnerable.
While these attacks are ideologically and morally motivated, most of the attacks – about 89 percent happening today are financially damaging or inclined towards espionage, claims a report conducted by Verizon. Of the confirmed attacks, 63 percent of the breaches occurred because of passwords that are default, weak or compromised. This indicates that basic safeguard measures are not sufficient.
What is Cyber Breach?
The U.S. Government’s National Initiative for Cybersecurity Careers and Studies (NICCS) defines a data breach as “The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.”
A breach occurs when an unauthorised person (hacker) gains accesses to a repository or a database, typically via the internet or a network by breaking the security codes or stealing an employee’s credentials. This event may result in illegal accessing, viewing or stealing of data.
Targets of these attacks in recent days are not limited to governments, but extend to banks, manufacturers, hospitals etc. Many of these breaches involve stealing of trade secrets or intellectual property, financial information, personal information like health records, credit card information and/or bank details etc.
Many companies do not sufficiently invest in safeguard measures, leaving them completely vulnerable for these types of attacks.
Forms of Cyber Breach
Cyber breaches consist of:
- Phishing: sending emails purporting to be from well-known companies that directs targets to a malicious website or triggers a download of malicious software. It could also trick users into revealing sensitive information like bank/ credit card details, usernames, passwords etc. These websites replicate a genuine company’s website, successfully duping the user into believing it. These are later taken fast-growing companies require fast answers
- Unauthorised access to a computer system or data
- Hacking of a website
- Denial or disruption of services
- Malware or a virus installation through inappropriate use of computers and applications by employees that may potentially harm the company
Costs of Cyber Breach
According to a study by IBM and Ponemon Institute, average cost of breach for 350 companies surveyed increased by $270,000 between 2014 and 2015 reaching $3.79 million. Lost business, the most severe cost for a business increased from $1.33m to $1.57m, while the average price paid for each stolen or lost record increased from $145 to $154 in the same period.
A growing awareness by the populace regarding vulnerability of their personal data has resulted in an acceleration of lost business cost for companies. Lost business includes abnormal turnover of customers, increased customer acquisition cost, reputation and goodwill losses.
The amount of time that a company takes to identify a breach is lengthy at about 256 days for a malicious attack or 158 days for a breach caused by human error. The time gap allows enough time for the hacker to steal or manipulate data or infect it with virus.
A fast growing company that has unique and niche products with a unique clientele may find it difficult to recuperate from a cyber breach, especially an espionage attack, stealing its trade secrets. Furthermore, ransom claimed by an attacker for not dumping the data in the market or publically revealing the victim for use of/ providing controversial services etc. can be tremendous and may cause permanent damage, in some cases causing a company’s cessation.
The People Factor
While there is an ever increasing sense of threat among companies, many of the measures adopted to counteract them are often misdirected. Often companies focus on external threats like malicious organizations, individuals or governments, while ignoring their own employees and contractors. This instills a false sense of security in a company. According to Verizon’s “The Data Breach Investigations Report”, “Miscellaneous Errors” accounted for the highest amount of breaches.
This category includes factors like misconfiguration of IT systems, erroneous disposal of company information, stolen/misplaced sensitive devices like smartphones, tablets and laptops etc.
Employees erroneously sending sensitive information to unintended parties accounted for 26 percent of this category.
Despite the increase in technology, the attacks occurring today are basic in nature such as phishing attacks. According to the same report, about 30 percent of phishing mails were opened, 13 percent of them contained a malicious or dangerous link. These attacks target a specific user and generally take less time to cause a breach, thus making them extremely popular among hackers. In 93 percent of these cases, systems had been compromised in less than a minute.
Among hacking techniques, Phishing attacks are the most dangerous ones. These take place in three parts:
- E-mails containing malicious attachments or that redirect to malicious websites.
- Viruses or malware are downloaded onto the system, which corrupts files or infects the system. This infiltration can subsequently be used to download additional malware. Downloaded malware then seeks out secrets for espionage, or encrypts flies for ransom, or steals credentials for multiple applications.
- Stolen credentials are further used for multiple attacks including logging into users’ bank or retail accounts, compromising sensitive personal information like credit card/ debit card details, name, address, phone numbers, etc., making the individual susceptible for identity theft.
Ensure awareness amongst employees: While training is important, imbibing cyber security in corporate culture ensures its success. Establishing written policies and communicating procedures relating to data privacy and security will promote compliance, securing the company from potential breaches.
Patches and updates: Updating patches and other software fixes is another way to prevent attackers from taking advantage of software’s vulnerability.
Data Encryption: Data encryption at the point of storage is an effective deterrent for hackers. Stealing data and attempting to break encryption is time consuming and difficult, thus serving as a strong deterrent for hackers.
Monitor activities: Monitoring suspicious behaviour and activity can reveal breaching attempts allowing for immediate preventive action.
Password: Passwords should be strong, and kept in a safe place and should be changed on a regular basis.
E-mails: Most phishing attacks occur via e-mail. Installing effective firewalls ensures adequate screening of e-mails, so that malicious attacks do not reach the employees. E-mail requests for information, that require software downloads, or advising users that their computers are at risk are typically phishing mails. Employees should be made aware of current attacks and be trained on how to handle them. Employees should keep their e-mail addresses private and avoid posting them online.
Disposal of devices: Files should be erased from devices that are to be disposed of. It should be also ensured that devices are destroyed completely, so that information cannot be retrieved from them.
Today’s cyberattacks have evolved and become more sophisticated. Most of the attacks are aimed towards unsuspecting individuals. While businesses may find it difficult to implement a company-wide protection plan or facilitate trainings for its employees it is an essential investment.