Every Company’s Three Hidden Cyber Security Risks
Twelve years with the FBI and I was ready for anything: espionage, massive cyber attacks, Tom Clancy-esque zero-day exploits. I saw some of that, of course, but more often I discovered and re-discovered it’s the simple things that most often cause catastrophic problems. Simple things that plague every company.
Here are the big three lurking in every company. As with so many things in information security, technology is important, but humans (and poor human decisions) are the critical factor.
Risk #1: Any employee can collect data
With a credit card and Internet access, any individual employee can run critical company functions with or without permission. Most have good intentions, some don’t.
For example, midway through my stint as a dedicated cyber agent, we responded to a data breach at a well-known company. Private information, much of it highly sensitive, had been dumped into a repository on the open Internet. Was it the result of state-sponsored actors? Sophisticated activist groups? A brute-force login attack? No. An employee had placed sensitive data in a free cloud storage account, and run-of-the-mill data thieves had simply posted it online. Despite the fact that this storage provider had a high-profile breach only months earlier, the employee didn’t change the account password. A million-dollar problem could have been avoided with a sixty-second password reset. This is a great example of the three risks I see in most companies.
It’s no surprise that as many as 80% of employees use unauthorized services. What is surprising is that companies have known about this threat for a very long time, yet they’re still failing to address it. According to Gartner, “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”
When employees use platforms that have not been screened or authorized by a company’s technology and security team, they’re wading into what’s known as “shadow IT.” And shadow IT makes it much easier for hackers to steal your company’s data.
Risk #2: Employees collect any kind of data
Customer and company data are sensitive and can be immensely valuable. Without guidance, employees can just as easily collect and store social security numbers as preferences for the holiday party. But if the date for the holiday party gets out, you’re not on the hook for millions in recovery costs.
Employees will always try to increase productivity in any way they can. They’ll rely on unsanctioned cloud-based file storage, survey software, or messaging apps if those apps will save them a few minutes. But this kind of behavior opens up the holes that can cost a company millions of dollars and priceless consumer trust. A 2017 study by the Ponemon Institute found that the average cost of a breach is $3.62 million. There’s nothing productive about that.
That’s one of the great things I get to do at Qualtrics: I can help build our own enterprise experience management platform and prevent these problems for other companies. I can help fix the problem.
Risk #3: Data are invisible and inaccessible to company managers
In the new GDPR world, data that don’t live in enterprise-controlled systems are devilishly difficult to retrieve. Worse yet, data in private accounts follow the owner when she leaves the company. What if she’s taking a list of your 100 best clients?
Another true story: During the investigation into a network intrusion at a large company, the network engineering team was using a free chat tool to communicate as they fought to regain control of their network. They had not told anyone about this tool, and they had been using it for months. In fact, it became their primary channel as they chased the attackers in their network. Do you see where this is going?
These engineers hadn’t involved their infosec team in vetting the tool, and it was set up insecurely. The attackers had joined the very chat group the engineers were using to try to kick them off, and they were tracking the team’s every move. We discovered the intruders only by identifying every person in the chat group and isolating several imposters. After that, we moved quickly to a different communications channel.
In their rush to be productive, the engineers made the problem worse with sloppy setup of a free tool. The company spent a lot more time and money remediating the breach, and the data loss was much larger than it could have been. They had to spend millions to inform customers and to provide credit protection for those customers.
Squashing shadow IT
How can your company avoid horror stories like these? Here are four ways to bring security priorities and employee behavior together:
- Policy play. Companies need a well-defined policy on the use of unsanctioned services and the protection of company data. But policy won’t accomplish anything if it isn’t communicated to employees. Offer regular training, including explanations of the rationale behind the policy and real-world risks.
- Welcome on board. New employees often want to use the productivity tools that were helpful at their previous jobs, so onboarding must include the data security policy. But also use that moment to take new suggestions into account.
- What you don’t know can hurt you. Survey employees regularly on the resources they’re using, which could illuminate security risks before a breach occurs. If enough employees need a solution, IT should work to find an approved vendor that can securely fill that need.
- Partners, not police. Foster an ongoing conversation between employees and your company’s security/IT departments about how to balance productivity with security. If your security team reflexively says “no” whenever employees want productivity-boosting tools, employees will just stop asking and use the tools anyway.
Companies can squash shadow IT risk, but they have to be willing to listen to their employees, create transparent guidelines, and encourage an open discussion on the best ways to be both productive and secure.
Adam Marrè, CISSP, GCIA, GCIH, is a Qualtrics information security operations leader and former FBI cyber special agent. Adam has more than 12 years experience leading large-scale computer intrusion investigations and consulting as a cybercrime subject matter expert. As an FBI Academy cyber instructor, he provided curriculum and incident response training to law enforcement in the US and around the world. As the security operations and incident response leader at Qualtrics, Adam leads strategic and tactical operations for the company’s information security team.
A version of this article was first published in Dark Reading.