Cyber hacks are often company insiders
When security breaches make headlines, like the recent Ransomware scandal, they often tend to be about criminals in another country or a disastrous technology failure. But the truth is that such breaches are caused by an action of someone inside the company.
The role of insiders in compromising the vulnerability of corporations of all sizes is just massive and growing. In the 2016 Cyber Security Intelligence Index, IBM found that 60 per cent of all attacks were carried out by insiders. Of these attacks, three quarters involved malicious intent and one quarter involved inadvertent access. Post demonetisation, there has been a significant emphasis on the shift to digital payments in India. This has evoked concerns about a threat to security.
In the digital world today, data predominantly exists online and hence exposed to such security risks. Once something is shared online, it’s there forever – what happens to this information is not under control.
ISDECISIONS (www.isdecisions.com) has reported that about 2,500 internal security breaches occur in US business every day.
The threat has been well recognised in India. Various organisations, from RBI to IRDAI, have frameworks and regulations to address the threats. Data Protection Act, 1998, requires organisations to ensure the reliability of any employee having access to data. The authorities have all recognised the urgent need to plug every loophole that can trigger security breach.
As revealed in the IBM report, two things allow threats to become a reality — motive and opportunity. As employees with criminal intent grow in numbers there is a serious escalation of risks from these insiders. It is worthwhile spending some time to recognise the various dimensions involving employee triggered risks to information security.
Financial gain, revenge, fear or concern, misconceived ideology, identity crisis and lack of transparency have all become major triggers pushing employees towards malicious intent.
Adding to that, employee perception about uncertain employment condition, decline in work performance’, employee engagement’, physical or psychological problems and personal problems have further aggravated the chances of risks of security breach.
All these factors have successfully contributed to the stealing of company assets, unauthorised information disclosure, process corruption, sabotage, and misuse of overriding access.
The need of the hour is to encourage organisations to gain access to research material and to find ways and means of plugging the problem in-house. Whilst innovation in technology may find possible solutions for external threats, it is the insiders who need to be taken seriously and perpetually monitored through a well-defined risk system that identifies the culprits in advance, preventing the breach and the resulting damage.
‘To err is human’. But to err wilfully is not just a crime but a sin. It is the organisation’s responsibility to protect itself against such human elements. It should build risk models that help monitoring employees.
Without waiting for disaster to strike, organisations should start focusing on data breaches and actually hold employees accountable for repeated failures to adhere to the control standards.
The writer is a senior research scholar at SRM University, Chennai
aniltikotekar4sme.com 