In the cyber realm, as in other areas of security, the human factor is a pervasive vulnerability, be it theft by malicious “insiders” or inadvertent breaches by employees clicking on a compromised link, analysts say.
More rigorous training may not end the abuse of corporate cyber systems — the sophistication of some hacker tactics is so great that 100% security is probably unattainable — but it can significantly reduce the risks, specialists say.
The same goes for the adoption of intrusive new ways of monitoring employee online behaviour and compliance with good cyber practice, some security specialists say.
“(High-tech) Bells and whistles are no use if you don’t have trusted, loyal and well-informed staff,” said an industry executive who spoke recently at a closed door cyber seminar.
Many experts say more can be done to tighten security at the “endpoint” — people — rather than place excessive reliance on clever software.
Some experts see a need to carry out security vetting when hiring key staff, for example computer system administrators.
“Technology is only a part of the problem — all systems are composed of people, processes and technology — you only need to break one of the components to attack the system,” said Steve Purser, a senior expert at the European Network and Information Security Agency, a European Union body.
He said there were no hard and fast rules about monitoring staff online because data differed in sensitivity and context.
“The important point is to communicate the rules to staff and to ensure that the rules are being followed,” he said.
The need is urgent, not least because employers are worried recession may swell the ranks of staff in line for retrenchment who plan to take proprietary data with them out of the door.
Some are queasy about the notion of intruding on employees’ online work. But then, analysts note, hackers are doing exactly the same thing — and imperilling jobs into the bargain.
“It’s the people side of the equation that is letting the bad guys through right now,” Neil Fisher, Vice President of Global Security Solutions at Unisys Corp told Reuters.
He was referring to ‘phishing’ attacks, a hacker ploy to obtain data such as passwords or bank details by posing as a legitimate institution.
In advanced “spear-phishing” campaigns hackers craft personalised e-mails, often using data available on social media websites, duping recipients into downloading attachments that launch malicious software that takes over their computers.
Such ploys are suspected in at least some recent prominent attacks, which have targeted entities such as the International Monetary Fund, Central Intelligence Agency, the US Senate, and companies such as Citigroup and Lockheed Martin.
Mohan Koo, CEO of Dtex Systems (UK), said most organisations tended to over-prioritise the risk of external threats, particularly in the financial sector.
“For years now investment banks have lived by the motto Know Your Customer’ today it’s more critical that they focus on Know Your Insider’ because that is where they have a weakness.”
“The problem is that most organisations don’t monitor their insiders with a sufficient level of granularity to quantify the threat to their business. If they did, the shock would be sufficient to spark a significant change in their approach.”
A March 28 study by computer security firm McAfee and US government consulting company SAIC said the most significant threat reported by organisations when protecting information was data leaked accidentally or intentionally by employees.
The risk of malicious theft of data or intellectual property by insiders for private gain or to boost value to potential new employers may rise as Western economies struggle, analysts say.
A 2011 survey of cyber crime by Verizon, the US Secret Service and the Dutch High Tech Crime Unit noted concern among industry experts that financial strain would cause an increase in insider abuse, although evidence was sparse so far.