Security breaches have become ever present within our society today, with news of breaches, such as those to baby care retailer Kiddicare and social media giant LinkedIn, gracing the front pages most mornings. With cybercriminals having an increasing presence within our rapidly evolving online society, scenarios such as the above are likely to become a more everyday occurrence unless the right measures are put in place.
The cost of the average data breach rose dramatically in the last twelve months[1], with the average cost for companies increasing to $3.79 million once lost business, compliancy fines and reputational damage are taken into account. To put it another way, the average cost for each stolen record – often containing sensitive and confidential information – is $154, a number not to be sniffed at. As a result businesses are becoming increasingly concerned about protecting the sensitive data that they hold within their business.
Businesses need to understand how cybercriminals are increasingly gaining access to their internal systems before they can mitigate this risk. It may come as a surprise to many of you, but the days of the brute force attack are over, now the bad guys wishing to infiltrate your network are taking a much more calculated approach. According to recent research by Intel[2], internal factors are now responsible for almost half (42 per cent) of all data loss cases in the UK, demonstrating that employees are often an organisation’s weakest link when it comes to information security.
Most of this is down to phishing scams, where fraudsters attempt to acquire sensitive information, for example usernames, passwords and credit card details or steal money by masquerading as a trustworthy entity via an email, pop-up message, phone call or text message. Once a cybercriminal has an employee’s password, obtained by a phishing scam or any number of other common social engineering techniques, they can access the entire corporate network and the sensitive data held within it.
In fact it is getting so bad that UK-based Action Fraud reveals that it now receives 8,000 reports of phishing scams every month[3]. Email is by far the most common attack vector with over two thirds (68 per cent) of people who reported a phishing scam saying that is how they were contacted. This compares to 12.5 per cent of people who said they were contacted by phone, 8.9 per cent of people who reported that they received a text message and the rest claiming they were contacted in another way.
The process of phishing is often very swift too. According to a recent report by Verizon[4], it takes cyber criminals just 82 seconds to ensnare the average victim in a phishing scam, with almost a quarter ( 23 per cent) of people likely to open a phishing email.
Whether it’s down to human error, a phishing scam or an intention leak, organisations of all sizes need to embrace employee education as part of their security policies. Not only will this educate employees on the risk and potentially crippling costs associated with data breaches, but will also provide insight into the types of phishing scams that they are likely to fall victim to. By doing so, employees will have an understanding of the risk that such breaches pose to the organisation and be able to alert the IT team if they are being specifically targeted.
The problem with phishing though is intensified by the fact that modern techniques are getting increasingly hard to spot for even the savviest employees. Whilst education of staff is important, it is also imperative to have a safety net so that you can understand exactly how data is moving in, around and out of your organisation.
Only by gaining greater visibility, analysis and control of all communications channels can businesses mitigate the cost of sensitive data leaving the safety of the organisation. To facilitate this, organisations need to be able to monitor each employee’s use of corporate assets at the most basic level, regardless of whether users are in-office or mobile. Solutions such as cloud application control (CAC) solutions can provide businesses with this visibility and the ability to discover, analyse and control the information staff are accessing or sharing.
With the added pressures of the digital transformation impacting how and where we work, employees are increasingly opting to work outside of the traditional office environment. Because of this businesses need to ensure that the right employees have the right access to company information and systems, no matter where they’re working from. With access privileges morphing depending on whether they are in, or out, of the office. Multi-factor authentication can play a dominant role within an organisation’s cybersecurity strategy to help facilitate visibility of the use of cloud apps – authorised or otherwise – so that they can spot when a phishing attempt may be leading to a sustained data breach and help mitigate the associated fall out.
[1] https://www-01.ibm.com/marketing/iwm/dre/signup?source=ibm-WW_Security_Services&S_PKG=ov34982&S_TACT=000000NJ&S_OFF_CD=10000253&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=01512328606014640999746&cm_mc_sid_50200000=1464099974
[2] http://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf
[3] http://www.actionfraud.police.uk/news/action-fraud-reveals-that-it-receives-8000-reports-of-phishing-scams-every-month-mar16
[4] http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
