For Online E-newspaper
The East African : Sep 29th 2014
52 The EastAfrican BUSINESS SEPTEMBER 27 - OCTOBER 3, 2014 MANAG E R Cybe≥-attack: How o≥ganisations can deal with the dange≥ f≥om within payment card numbers of some 40 million customers and the personal data of roughly 70 million. What’s less well known is that although the thieves were outsiders, they gained entry to the retail chain’s systems by using the credentials of an insider: One of the company’s refrigeration vendors. Insiders can do much more se- W rious harm than external hackers can, because they have much easier access to systems and a much greater window of opportunity. Many organisations admit that they still don’t have adequate safeguards to detect or prevent attacks involving insiders. One reason is that they are still in denial about the magnitude of the threat. An unappreciated risk Insider threats come from peo- ple who exploit legitimate access to an organisation’s cyber assets for unauthorised and malicious purposes or who unwittingly create vulnerabilities. According to Vormetric, a leading computer security company, 54 per cent of managers at large and midsize organisations say that detecting and preventing insider attacks is harder today than it was in 2011. What’s more, such attacks are increasing both in number and as a percentage of all cyberattacks reported: A study by KPMG found that they had risen from 4 per cent in 2007 to 20 per cent in 2010. Our research suggests that the percentage has continued to grow. In addition, external attacks may involve the knowing or unknowing assistance of insiders. Causes of growth The size and complexity of in- formation technology: Do you know which individuals are managing your cloud-based services, who cohabits those servers with you, and how safe the servers are? How trustworthy are those who provide you with other outsourced activities, such as call centres, logistics, cleaning, HR and customer relationship management? “Dark Web” sites, where unscrupulous middlemen peddle large amounts of sensitive information, now abound. Everything from customers’ passwords and credit card information to intellectual property is sold on these clandestine sites. Insiders are often willing to provide access to those assets in return for sums vastly less than their street value, contributing to the “cybercrime-as-a-service” industry. COMMENTARY DAVID M UPTON AND SADIE CREESE “Insiders can do much more serious harm than external hackers can, because they have much easier access to systems and a much greater window of opportunity.” Personal devices: Increas- ingly, insiders — often unwittingly — expose their employers to threats by doing work on electronic gadgets. According to a recent Alcatel-Lucent report, some 11.6 million mobile devices worldwide are infected at any time, and mobile malware infections increased by 20 per cent in 2013. Social media: Social media allow all sorts of information to leak from a company and spread worldwide, often without the company’s knowledge. They also provide opportunities to recruit insiders and use them to access corporate assets. The socalled romance scam, in which an employee is coaxed or tricked into sharing sensitive data by a sophisticated con man posing as a suitor on a dating website, has proved to be particularly effective. Other strategies include using knowledge gained through social networks to pressure employees: A cyber blackmailer may threaten to delete computer files or install pornographic images on a victim’s office PC unless the sensitive information is delivered. How to manage the problem Adopt a robust insider policy. This should address what people must do or not do to deter insiders who introduce risk through carelessness, negligence or mistakes. The policy must be concise and easy for everyone — not just security and technology specialists — to understand, access and adhere to. Raise awareness: Be open about likely threats so that people can detect them and be on guard against anyone who tries to get their assistance in an attack. Customise training to take into account what kinds of attacks workers in a particular operation might encounter. Encourage employees to report unusual or prohibited technologies and behavior, just as they would report unattended luggage in an airport departure lounge. Look out for threats when hir- ing: It is more critical than ever to use screening processes and interview techniques designed to assess the honesty of potential hires. Examples include criminal background checks, looking for misrepresentations on résumés and interview questions that directly probe a candidate’s moral compass. During the interview process you should also assess cybersafety awareness. Employ rigorous subcontract- ing processes: Ask potential suppliers during precontractual discussions about how they manage insider-related risk. If you hire them, audit them regularly to see that their practices are genuinely maintained. Make it clear that you will conduct audits, and stip- ulate what they will involve. Monitor employees: You can- not afford to leave cyber security entirely to the experts; you must raise your own day-to-day awareness of what is leaving your systems as well as what is coming in. That means requiring security teams or service providers to produce regular risk assessments, which should include the sources of threats, vulnerable employees and networks and the possible consequences if a risk becomes a reality. You should also measure risk-mitigation behaviors, such as response times to alerts. Often routers or firewalls can monitor outgoing channels, but you should make sure that the functionality is activated. If you don’t have the equipment to monitor outgoing traffic, buy it. The most effective strategy for defusing the cyberthreat posed by insiders is to use the protective technologies available and fix weak points in them, but focus ultimately on getting all insiders to behave in a way that keeps the company safe. People need to know what behaviors are acceptable or unacceptable. Remind them that protecting the organisation also protects their jobs. Harvard Business School Publishing Corp. David M. Upton is the Ame≥ican Standa≥d Companies p≥ofesso≥ of ope≥ations management at Oxfo≥d Unive≥sity’s Saïd Business School. Sadie C≥eese is the p≥ofesso≥ of cybe≥secu≥ity at Oxfo≥d and di≥ecto≥ of its Global Cybe≥ Secu≥ity Capacity Cent≥e. e all know about the 2013 cyber-attack on Target, in which criminals stole the COMMON PRACTICES THAT DON’T WORK The most common cybersecurity safeguards are much less effective against insiders than against outsiders. Access controls: Rules that prohibit people from using corporate devices for personal tasks will not keep them from stealing assets. Vulnerability management: Security patches and virus checkers will not prevent or detect access by malevolent authorized employees or third parties using stolen credentials. Strong boundary protection: Putting critical assets inside a hardened perimeter will not prevent theft by those authorized to access the protected systems. Password policy Mandating complex or frequently changed passwords means that they often end up on Post-it notes — easy pickings for someone with physical access. Awareness programmes: Simply requiring employees to read the company’s IT security policy annually will not magically confer cyberawareness on them. Nor will it prevent staff members from taking harmful actions. WHAT CAN YOU DO? Some of the most important activities that non-tech leaders should ask of their IT departments are: Monitoring all traffic leaving enterprise networks via the Internet or portable media, and promptly reporting anything unusual or in violation of policy; Staying current with best practices for supporting cybersecurity strategy and policy; Rigorously implementing network defense procedures and protocols that take into account the operational priorities of the business; Actively updating user accounts to ensure that employees never have more access to sensitive computer systems than is absolutely necessary; Making frequent threat assessments and briefing the company’s leadership on them.
Sep 22nd 2014
Oct 6th 2014