Companies spend exorbitant amounts of money into protecting their intellectual capital, processes and customer data. They invest in security devices, develop security protocols, advance security procedures to anticipate and defend against attack. Bare bones security can cost as little $300,000 to $400,000 but rise upwards to $800,000. For a 1,000-person company, the expected cost of security is $500 to $800 per person. Whether this investment cost proves enough security is difficult to say until an obvious attack is made on a company’s infrastructure. The average enterprise will pay $551,000 in direct recovery costs from a security breach and an additional $69,000 in indirect costs. The costs are less for SMBs but still represent a significant amount: $38,000 in direct spending and $8,000 in indirect spending.
In the 2014 State of Risk Report by Trustwave, the top security risks were identified: disgruntled employees, careless and uninformed employees, mobile devices, cloud applications, unpatched devices, and third party providers. Of this list, employees contribute to the top three security risks for companies.
The greatest threat is from inside. Betrayal has always been a major contributor to lost battles: in war and in terms of security. Though there may be some cases of intentional betrayal from employees, most inside jobs are the product of unhappy employees who have sufficient knowledge and access to carry out an attack. Over half of employed Americans find no satisfaction with their job. Some employees are so disgruntled, they will sabotage the company. In most cases, this may lead to sub-par service to customers or slacking on their duties, but some cases can lead to disrupting technology and initiating information leaks.
Unhappy employees may have many responsibilities: the worst case scenario is a disgruntled employee who has sole responsibility over a system or process. Omega Engineering Corp suffered a $10 million loss in sales and contracts in 1996 when they fired an employee who had sole responsibility of maintaining backup information for the company’s programs. Most cases involve theft of intellectual property. A 2013 Symantec study identified that half of employees losing or leaving their job will keep confidential corporate data with a large majority intent on using that information in their next job.
Sharing Information is Essential
Uninformed employees are careless employees. To perform their jobs appropriately, employees must know where the company is headed and how their duties impact the overall plan. This extends to security. Employees should be informed of potential threats and their role in the security plan. Most employees do not understand when they are potentially a risk. Having a discussion about work in a restaurant, working from a laptop in a coffee shop, throwing a confidential document in the trash unshredded, going outside the process to finish a task, or accessing a part of a system not in their job description: these are all actions that could potentially lead to a security breach.
Mobile computing, especially BYOD programs, has the greatest potential to comprise security: particularly when coupled with an uninformed or disgruntled employees. A 2012 Government Accountability Office (GAO) report lists the vulnerabilities of mobile computing:
- Mobile devices often do not have passwords enabled
- Sensitive transactions do not always use two-factor authentication
- Wireless transmissions are not always encrypted
- Mobile devices may contain malware from downloaded applications
- Mobile devices often do not use security software
- Operating Systems may be out-of-date
- Software on mobile devices may be out-of-date
- Mobile devices often do not limit Internet connections
- Mobile devices may have unauthorized modifications
Though some of these vulnerabilities may not be directly contributed to employees, many are the result of configurations not being properly made or changed by the employee: for instance, automatically updating operating system. Because of these vulnerabilities, mobile devices have increasingly become targets for cybercriminals.
Mobile devices are modern day Trojan Horses: a compromised phone, tablet or laptop can easily slip through the company’s defenses and wreak havoc from inside. BYOD programs can control the top of devices used by employees and even what is downloaded or updated on the mobile device; but this doesn’t guarantee unauthorized devices will be brought in or that authorized devices can’t be compromised. A single download or accessing an external WiFi network can comprise a device. An HP study shows that 97% of employee’s devices contain privacy issues and 75% lack adequate data encryption. Over 3.1 million smartphones were stolen in America in 2013. The lack of basic security protocols on a mobile device can be a major threat to security.
If companies are investing $500-$800 in security per person, those investments should be towards the greatest risks. Yes, the network infrastructure requires the appropriate firewalls, IDS and antiviral solutions and administrative personnel to ensure and enforce security; but these programs lack value when not coupled with appropriate educational programs for employees or processes to correct vulnerabilities through controlled configurations and automatic updating. Understanding how employees are the greatest risks to security is the first step in protecting data.