Cybersecurity CEO: Who’s Inside Your Network, And How Long Have They Been There?
February 20, 2019
Employee and contractor cyber threat looms large
Los Angeles, Calif. – Feb. 19, 2019
Here’s something a lot of board level executives still don’t know -- employees are your biggest cyber risk !
This is exactly why Herjavec Group highlights “the people problem” as a key area for focus in The 2019 Cyber Conversations for the C-Suite Report. You might have all of the security tools at your disposal, but if you can’t manage insider threat, there will always be a critical flaw in your security program.
Many industry sources estimate the ‘dwell time’ for cyber attackers – the length of time that a hacker is lurking around your network before they strike – is 100 days (or more !) at a time.
But it’s your employees who are all too often the cause of data breaches – that should concern you more ! After all, they’re permanent residents on your network. Think about how long contractors and business associates have access to your network - it could be months or years at a time.
Cathy Hughes, VP and CISO at Northwell Health says that insiders are the number one cyber threat faced by hospitals, one of the most targeted organizations industry-wide. Employees and contractors are a major issue at her healthcare system, which has over 68,000 people and is New York’s largest private employer.
The key thing to note is that insider threat doesn’t always happen because of malicious intent. “The majority of security incidents happen because the insider threat occurred by accident,” says Lewie Dunsworth, Herjavec Group’s EVP of Global Security Services.
Hackers can get into your networks by targeting specific employees using phishing emails and tricking them into giving away their login information. It’s just that simple !
The good news is that establishing a security-centric culture isn’t very difficult. Here are some recommendations to raise security awareness:
- Cover the basics of cybersecurity education with your employees. Hold seminars, webinars, send out security training material, you name it. More importantly, build a cadence for training to ensure its effective.
- Don’t be boring in training delivery – mix it up ! Use social media and videos to communicate your message. Better yet, build a full internal campaign around it.
- Get your board level executive team involved. Security culture should be driven from the top down. If your employees see the leadership team demonstrating security awareness, they’ll follow suit.
- Use tools like social engineering tests to measure security controls. These tests use fake phishing emails to secure login info from your employees. Run these tests regularly and share the high-level results internally to highlight the organization’s overall performance.
Insider threat is tricky – if you track a ransomware breach to a single employee, you can’t automatically assume they were being malicious. And as with any other cyber threat, you can’t always prevent these attacks from happening – but you should take the necessary steps to decrease the risk.
To Your Success,
Originally posted on cybersecurityventures.com