The most daunting headlines on security breaches in 2014, apparently, wasn’t enough to jolt major businesses to take precautionary measures and prevent security leaks.
Many big enterprises didn’t heed the persistent reminders from security professionals to hire a proper IT security analyst, and have a system in place for controlling and tracking sensitive data.
What they don’t realize is that modernity and technology have made internal security barraging easier for cyber hackers/social engineering attackers to steal vital company information. In fact, 90 percent of losses in business result from lapses in IT network security, which may come from simple viruses, hacker attacks, identity, and data theft.
An appalling detail, perhaps, is that not only are lapses in IT security processes making companies susceptible to cyber exploitation but human lapses as well. For instance, social engineering is a type of non-technical attack that relies on human interaction and manipulate people to give up confidential company information.
Social engineers exploit the fact that some employees are oblivious of the value of information they possess, and are, thus, careless about protecting it. The simple fact that some employees who lack training in the security protocols fail to come up with strong passwords, visit unauthorized websites, and irresponsibly open suspicious emails and attachments pose a security threat to their company’s systems and data.
Internal Vulnerabilities Within and Outside Your Network
Given that machines, technology, software, processes, and people fail, seeing to it that your company has disaster recovery plans in place in the event of IT disaster is a wise move. After all, a data breach, as most companies come to realize, is not a matter of “if” but a “when.”
Aside from having a contingency measures, having knowledge of the common security risks is also a good way to save your company from cyber attacks. We broke down the internal security vulnerabilities that companies may experience from within and outside their network—vulnerabilities borne out of people and the process:
1. Social Engineering
Dependent on the interaction between humans, this type of internal vulnerability retrieves desired information through person-to-person contact. Popular methods include:
A hacker poses as an employee—a janitor or contractor—with a valid access to the system.
- Posing as an important user
The hacker pretends to be a VIP or manager with the designated authority to use computer systems or files. This often intimidates lower-ranking employees who hesitate to question the poser VIP’s purpose for accessing information.
- Being a third party
This type of attack happens when a hacker pretends to have permission from an authorized person to access the system. This usually occurs in the absence of the authorized person.
- Desktop support
Seeking help from the tech personnel is a classic social-engineering modus operandi. This takes advantage of the responsibility of desk and tech support to help employees, making them a good prey for social engineering attacks.
- Shoulder surfing
This is a technique of gathering passwords by spying on a person, as they log into the system. A hacker can watch a valid log-in over his shoulder, and subsequently, use that password to gain access to the system.
- Dumpster diving
This attack involves looking in the trash for information written on pieces of paper or computer printouts. Hackers usually retrieve passwords, filenames, or other pieces of confidential information from the trash.
2. Disgruntled Employees
The infamous Sony attack in 2014, rumor has it, was not carried out by North Korea but by people from inside the company. Internal attacks are one of the biggest threats facing a company’s data and systems, especially that employees themselves have access to the system.
There is no doubt that rogue employees, especially members of the IT team, with knowledge of and access to networks, data centers, and admin accounts can cause serious damages.
3. Careless or Uninformed Employees
A perfect example of this would be an employee who thoughtlessly forgets his unlocked phone in a cab, in time for a disgruntled user, who maliciously retrieves information from the unattended contraption and leaks said information to a competitor.
This category likewise covers workers with weak training with the best security practices, and use weak passwords, or visit unauthorized websites—easily allowing attackers into the system.
4. Bring Your Own Device or BYOD
With BOYD being adapted as a norm by major companies as an effort to keep up with the young, mobile, and connected workers, security experts are growing a headache. The trend makes it easier and cheaper for cyber criminals to hack into a company, steal sensitive data, and wreak havoc along the way.
Data theft is, in fact, high when employees use mobile devices to share data, access company information, in the end neglecting to change passwords regularly. According to a BT study, mobile security breaches have affected more than two-thirds (68 percent) of global organizations in the past year.
5. Cloud Applications
A trend that makes IT security experts anxious is the move towards cloud storage. The free cloud and file sharing market, apparently, paves the path for potential hacking.
Employees tend to upload confidential data into their personal accounts with weak passwords or none at all. These data commonly include tax returns, bank records, blueprints, and business plans.
6.Unpatched or Unpatchable Devices
These include network devices such as routers, servers, printers that utilize software in their operation, yet either a patch for a vulnerability in them was not yet created or sent, or their hardware was not designed to enable them to be updated following the discovery of vulnerabilities. This potentially leaves a device that hackers can use to gain access to data.
Ultimately, minimizing the effects of a security breach comprises conducting a risk assessment to identify where the vulnerabilities lie. Therefore, getting a proper security IT analyst and having a disaster recovery plan in place is key.