The Threat From Within

  • Guides

Last month, we reported on Yahoo’s biggest ever data breach affecting over 500 million users. In reality, barely a day goes past without a big corporate falling victim to a hacking attempt. It’s a very real issue – the online world we live in is full of opportunity, but also risk.

Government is urging small businesses to take preventative measures too, following their figures showing 60% of small businesses becoming victim of a cyber breach during 2014.

The elephant in the room

Despite the warnings, it’s understandable for small business owners to be sceptical of the chances of being targeted by a crack team of hackers. And yet, there’s always been an ever-present threat that could easily become a real-world nightmare. It’s not a new malware threat, or phishing scam – it’s our own people.

More than 60% of security events are the result of an inside attack. In some cases, insider threats can be more financially damaging and more difficult to defend against. After all, external threats involve someone trying to break in, whereas your staff already have the keys to the front door and knows where the family jewels are stored.

More than 60% of security events are the result of an inside attack

The majority of ‘breaches’ are from people unintentionally compromising your company’s security – Kaspersky Lab’s research shows that 42% of confidential data loss is by staff. They don’t mean to, it’s just that the nature of their job gives them direct access to highly sensitive data. How much information do your IT personnel have access to, for example? The most common answer in a small business is “everything”.

However, it’s not just human error or a lack of controls that let us down – disgruntled employees are a major source of data breaches. According to the National Cybersecurity Institute, it’s become a top concern over the headline-grabbing hacks.

Oft-cited examples include sales people who walk into new jobs with leads and important company information from their previous employer.

With this sort of scenario, a solid process for when people leave the company is an obvious answer to minimise the risk. However, behaviours need to be monitored too. If work performance drops off, for example, then it should raise a flag.

40% of people who have access to a corporate infrastructure use the same login on other sites such as Facebook

A spat that can turn into someone being fired can be a catalyst for revenge. A company that doesn’t have the right protocols in place are then suddenly incredibly vulnerable. Instances of systems being corrupted, important data being deleted and company secrets being shared with competition are commonplace.

This problem can be managed with good processes – every business should have plans in place for these kind of ‘what if’ scenarios. However, the reality is, employees who are fully engaged and appreciated are less likely to be motivated to commit a crime on the job.

Fixing the basics

Cyber and data security may sound complicated and expensive, but in reality it’s simple – and free – to make big impacts with small steps:

  • Ensure your staff are aware of your security policies
  • Educate them on the consequences of online threats
  • Encourage a policy of raising a hand if people are unsure
  • Review access rights and privileges to company information
  • Scan your systems for potential vulnerabilities
  • Make sure you keep software up-to-date

With the government pumping £1.9bn into cyber security over the next 5 years, there are a lot of free resources available, such as free online training for small businesses. If you’d rather get out of the office, the chances are there free seminars on cyber security in your area.

On the horizon

Cyber security is deemed a ‘Tier 1’ threat by the government, reflected by the aforementioned planned spend. Since 2014, certain contracts have mandated some kind of cyber or data security certification in order to bid for the work.

The pressure will inevitably filter down the supply chain as larger firms seek to ensure their own security controls aren’t undermined by their suppliers. With 43% of CEOs seeing cyber security as a top business risk, the tides are certainly shifting.

Want to protect your business? You can get a system in place to manage your information security risks by achieving ISO 27001 certification.

profile image of Mark Nutburn
Written by Mark Nutburn

CTO - technology professional with over 20 years of IT experience building bespoke CRM systems and designing customised software solutions. A key part of the management team at The British Assessment Bureau for many years and a part of AMTIVO’s management team.