Who Needs Hackers When Your Own Staff Can Sink You?

Mayor: Drebin, I don’t want any more trouble like you had last year on the South Side. Understand? That’s my policy.

Frank Drebin: Yes. Well, when I see 5 weirdos dressed in togas stabbing a guy in the middle of the park in full view of 100 people, I shoot the bastards. That’s *my* policy.

Mayor: That was a Shakespeare-In-The-Park production of “Julius Caesar”, you moron! You killed 5 actors! Good ones!

Your company’s cyber resilience is only as strong as its weakest link.

At this very moment, even your most well-meaning personnel may be pulling a Frank Drebin on you.

Defending against internal security threats is among the most formidable challenges that institutions face today.

When breaches result from careless mistakes by an organization’s own employees, this raises pressing questions on the reliability of your defense mechanisms.

In the past few years, the cyberattack landscape has featured a succession of notorious cases of “own goals,” “self-inflicted wounds,” and “loose lips sinking ships”:

Equifax’s Error (2017)
A missed software patch led to the exposure of 147 million Americans’ data, an oversight caused by internal communication gaps.

RSA’s Phishing Pitfall (2011)
RSA, despite its security expertise, suffered a breach when an employee unwittingly opened a phishing email.

Code Spaces’ Closure (2014)
Suspected misuse of insider credentials resulted in data loss, leading to the company’s shutdown.

Twitter’s Trickery (2020)
Prominent accounts got compromised due to employees becoming victims of a social engineering scam.

Cisco’s Connection Catastrophe (2018)
A former employee exploited leftover network access, causing $1.4 million in damages to Cisco.

Target’s Troublesome Breach (2013)
Hackers accessed Target’s network using credentials stolen from a third-party vendor, leading to massive data theft costing Target over $200 million.

Waymo vs. Otto
A former Google employee pilfered sensitive data related to Google’s self-driving project to establish a new company, Otto, leading to significant legal confrontations with Uber.

Anthem’s Awkward Breach (2017)
An employee from a vendor sent data of 18,000 Medicaid members to a personal address, triggering privacy alarms and massive security overhauls.

Capital One’s Cloud Crisis (2019)
A former AWS employee executed a breach on a Capital One database, exposing the data of over 100 million individuals.

Apple’s Information Infiltration (2019)
An intern shared parts of the iOS source code on a Discord server, which then leaked on GitHub.

SolarWinds’ Security Slip (2020)
In a broad cyber espionage campaign, potential insider elements were suspected, affecting numerous prominent organizations and government entities.

Some of the lessons we should have taken from these incidents continue to go unlearned. With this in mind, here’s a quick list of ten simple mistakes your staff is making that could cost you everything:

1. Falling for Phishing
   Employees inadvertently opening malicious emails, risking malware or ransomware infections.
   
   
2. Weak Password Practices
   Using easily decipherable passwords or reusing them across multiple platforms.
   
   
3. Unregulated External Devices
   Plugging in personal or unknown devices can introduce unwanted malware or exfiltration of corporate data.
   
   
4. Careless Sharing of Sensitive Data
   Using non-secure channels to discuss or send confidential information.
   
   
5. Delay in Reporting Suspicious Activities
   Not promptly alerting IT teams about unusual behaviors or system anomalies.
   
   
6. Ignoring Software Updates
   Overlooking critical updates and patches, leaving systems vulnerable.
   
   
7. Accessing Unsecure Wi-Fi
   Using open or public Wi-Fi for company tasks, exposing data to potential interception.
   
   
8. Mismanagement of Access Rights
   Employees having broader system access than necessary, increasing exposure points (not implementing least privileged access).
   
   
9. Not Undergoing Regular Training
   Lack of continuous cybersecurity awareness and training for staff.
   
   
10. Using Personal Email for Work
    Blending work and personal communications can risk data leaks or phishing.

Failure to take steps to plug gaps like these can trigger an explosion of cascading issues that end up costing a lot of money to fix, if indeed they don’t destroy your business.

Employers who want to stay in business need to implement rules and procedures that will effectively protect sensitive company data. While it may be tempting to think that we can keep doing business as usual forever, headlines like those above show that times have changed.

Insider threats are ubiquitous and potentially devastating, but you should never lose sight of the fact that you need to keep your employees focused on the jobs you hired them to do. Creating a climate of fear and paranoia, as opposed to providing education and implementing proper controls, is just another way to sabotage your own operation.

Protecting your company against data hacks does not have to be inordinately expensive, nor is it reasonable to treat your employees as guilty until proven innocent. There are tried-and-true ways to secure your data without making your workplace seem like a maximum-security prison.

Cyber Defense Advisors has helped scores of companies find their way out of the Black Hole of Insecurity. We can help you not only to implement the latest data breach detection and hack response tools, but also to cultivate a culture of informed security practices that can motivate and incentivize your employees to defend and protect your company’s most valuable information – including from themselves!

Contact us to learn more about how we can help enhance your technology and fortify your cyber security program.