News has emerged in the last couple of days about two cases of data breaches caused by insiders. The two incidents make for an interesting comparison.
In one of these cases an innocent employee of JP Morgan Chase was the victim of a social engineering attack and having a weak password. While this wasn’t a malicious act, the mistake led to the theft of 76 million customers’ data.
In the other case… well, the employee wasn’t quite as innocent: an AT&T employee maliciously gained unauthorised access to 1,600 customers’ data, forcing the telecommunications giant to inform those affected of a data beach – something no organisation enjoys doing.
The question is: how can an ‘innocent’ mistake have led to such a disastrous outcome, one significantly worse than the ‘malicious’ incident?
The insider threat is real and it’s everywhere
People I have spoken to about the JP Morgan breach have all raised a similar concern: if a leading bank can’t get information security right, what hope does everyone else have?
Valid point, but it doesn’t mean organisations should therefore give up and hope the problem goes away – because it won’t. My theory about the JP Morgan incident is that the bank invested heavily in the right technologies to avoid a data breach but neglected to invest the same amount in their people.
I’ve said it before: you can have the best technology in the world but without the right people, your technology can be completely undermined by a few reckless clicks.
Do you know your people?
Do you think members of the JP Morgan board knew the employee who let the hackers in? No.
So how can you know whether an employee is suitable for a certain level of access to vital information? A good way of making sure your employees aren’t completely unaware of the threats they face is by putting them on an information security awareness course and, depending on their job role, a few other courses as well.
At least this way the board can see that all of their staff members have attained a certain level of information security awareness. In my opinion, these courses should be retaken every year.
However, there’s something that information security awareness won’t stop, and that’s the malicious people. Unless an employee has a malicious history, it’s not easy to see what their true intentions are until they’ve been carried out. This is where technology comes into play, which I’ll speak about it next week’s blog post.
Combine people, technology and… …Process! You have the technology, you have people that are now aware of threats, and all that’s left is telling people how to use the technology. Implementing processes and policies into your organisation will enable you to control who does and doesn’t have access to certain information and technology. As if by magic, ISO 27001 combines people, process and technology to create an effective information security management system (ISMS). Your organisation needs ISO 27001.
Click the link. Go on. Just learn a little bit about ISO 27001. You won’t regret it.
View our infographic: Fighting Cyber Crime in the UK