One in Four Hide Cybersecurity Incidents from Employers

Source: Canadian Underwriter

Forty per cent of employees around the globe hide IT security incidents to avoid punishment, according to a new report from cybersecurity company Kaspersky Laband market research company B2B International.

The report, titled Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within and released on Monday, also found that dishonesty is most challenging for larger sized businesses. Forty-five per cent of enterprises over 1,000 employees experience employees hiding cybersecurity incidents, with 42% of small- and medium-sized businesses (SMBs) and only 29% of very small businesses (under 49 employees).

The study involved 5,274 respondents around the globe.

Not only are employees hiding incidents, Kaspersky said in a press release, “uniformed or careless employees” are one of the most likely causes of a cybersecurity incident – only second to malware. While malware is becoming more and more sophisticated each day, the surprising reality is that the “evergreen” human factor can pose an even greater danger, the release said. Forty-six per cent of IT security incidents are caused by employees each year – nearly half of the business security issues faced triggered by employee behaviour.

Staff hiding the incidents that they have encountered may lead to dramatic consequences for businesses, increasing the overall damage caused, Kaspersky noted. Even one unreported event could indicate a much larger breach, and security teams need to be able to quickly identify the threats they are up against to choose the right mitigation tactics.

“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab, in the release. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”

The fear businesses have of being put at risk from within is clear in the results of the survey, with the top three cybersecurity fears all related to human factors and employee behavior. Businesses worry the most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).

While advanced hackers might always use custom-made malware and high-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point – human nature, Kaspersky suggested. According to the research, every third (28%) targeted attack on businesses in the last year had phishing/social engineering at its source.

“Sophisticated targeted attacks do not happen to organizations every day – but conventional malware does strike at mass,” the release said. “Unfortunately though, the research also shows that even where malware is concerned, unaware and careless employees are also often involved, causing malware infections in more than half (53%) of incidents that occurred globally.”

“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network – all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”

Cyber Security Budgeting for Small Businesses

Security ConceptA study conducted by Cisco, a multinational technology firm, found that small businesses were particularly vulnerable to cyber attacks—with 60 per cent of the surveyed Canadian companies stating that they did not have cyber security strategies in place. This fact becomes increasingly alarming when you consider that, according to some experts, cyber criminals actively target small- to medium-sized businesses.

With this in mind, it’s particularly important for small businesses to plan their cyber security budgets accordingly if they want to mitigate their risk. As a good rule of thumb, approximately 15 per cent of IT budgets should go towards cyber security.

Budgets should be made following an in-depth risk assessment and typically include the following considerations:

Preparation: When planning a cyber-security budget, consider including items for training, technology upgrades and vulnerability assessments. Having policies and procedures in place related to cyber attacks could also help you respond quickly in the event that a hacker accesses any sensitive information. In addition, implementing a security-awareness program is a good option for most employers, and consulting firms can provide assistance for those having difficulty setting up preventative measures.

Detection: Having the proper detection tools in place could make all the difference, should a cyber attack occur. In your budget, ensure that funds have been allocated for penetration testing, which will verify that any protective software you have in place is effective.

Response: Following a cyber attack, there are a number of response items to consider. In response to a cyber attack, businesses will often need to cover the cost of public relations assistance, attorney fees and forensic specialist services. When properly implemented and planned for, these items can help businesses salvage their reputations and prepare for future attacks.

In addition to budget planning, there are a number of other steps businesses can take to limit the impact of cyber attacks. For example, identifying any trends in terms of what other companies are spending on cyber security will at least provide you with a good budget standard that you can compare your own pricing to. In many cases, cyber liability insurance can protect businesses from some of the above costs, in addition to any losses sustained as a result of a cyber attack. The amount of coverage you need is usually dependent on your overall risk.

 

© Zywave, Inc. All rights reserved.

Managing Cyber Security During a Merger or Acquisition

handshake-SDuring a merger or acquisition, insurance policies and finances need to be scrutinized and the future of employees addressed. Cyber security is often put on the back burner, which is unfortunate because this is a time when company data is at its most vulnerable.

Data transfers must proceed without a hitch, or else the companies risk damaging reputation, losing customers and hurting future sales. Additionally, legal responsibilities must be upheld before, during and after the data transfer process.

Use the following checklist to ensure you’ve covered all of your cyber security bases:

  1. Identify all data assets that will need to be transferred.
  2. Gather and merge all data standards, policies and processes from employees at both companies.
  3. Identify potential risks that could occur during data transfer.
  4. Prior to any data transfers, ensure data is backed up.
  5. Run background checks on any employee who will be involved in the data transfer process.
  6. Craft a business continuity plan to prepare for potential data loss or outages during the period when the transfer will be occurring.
  7. Assign a high-level person the job of overseeing all data transfers. They will have the task of dividing and conquering by assigning one person to each data asset that needs to be transferred.
  8. Legally transfer ownership of data assets as quickly and completely as reasonably possible.
  9. Host training sessions on new data standards, policies and processes.
  10. Update disaster recovery plans, business continuity plans and emergency plans to include newly acquired data assets.
  11. Update the risk profiles for newly acquired assets.

Preparing for Data Transfer

Planning for data transfer should begin as early in the merger or acquisition process as possible. It is wise to assign one person the task of overseeing all data transfers so that there is little room for miscommunication or error. That person can then delegate smaller tasks, such as identifying data assets, identifying potential risks during transfer and making sure the data transfer is in compliance with federal or provincial law, but the person in charge should be aware of the current status of all tasks at all times. This person should also manage the implementation of the interim business continuity plan so that daily operations are disturbed as little as possible.

Keep in mind that if the acquired company has already completed portions of the data transfer or consolidation tasks, you should review the work to ensure accuracy.

Consider relocating IT employees from the acquired company early so that they can help with the data transfer and risk identification process, as they will be more familiar with their data and systems. Sufficient time should be mapped out to allow any older data to be converted for use in newer software and programs.

Finally, ensure that your system configuration records are up to date prior to any data transfers or consolidations. This will help isolate any issues that might occur and allow for an effective fix.

Good Practices for Data Transfer

Even if your company is completely prepared for the data transfer, it’s still possible that issues will arise during the process. Here are some good practices your company can utilize to minimize these risks:

  • Try to avoid using any kind of removable media to transfer data from one place to another. If the only method you can use is removable media, then take extreme care to be sure all records are encrypted, especially if they involve personal information.
  • If you have any data that isn’t getting transferred, you should dispose of it safely and completely to ensure it cannot be stolen.
  • Do not try to move all data at one time. Set small goals to complete every day or week to prevent an overload on your system or large, messy mistakes.
  • Consider halting some of your company’s cyber services until all data has been switched over in order to protect the services from being adversely affected by the transfer. Another option would be to run a similar service until data has been transferred.
  • Increase protective monitoring systems to prepare for the possibility of a disgruntled employee. Mergers and acquisitions are scary, uncertain times for employees, whose roles are often modified or eliminated to accommodate a new company structure. Update all clearances and access capabilities for employees based on new roles and duties.

Safe and secure data transfer during a merger or acquisition is of utmost importance. Communication is crucial during this time and basic duties and responsibilities should be quickly laid out and assigned to employees before, during and after the transition. Data transfer is not just about preventing and managing a compromise or interruption to services; you also need to keep your customers’ and stakeholders’ needs in mind, and take their concerns into consideration. Most importantly, ensure your new and existing clients know that you’re keeping their data safe.

 

© Zywave, Inc. All rights reserved.

CRSP Part 5: The Canadian Centre for Cyber Risk Management’s (C3RM) Growing Presence within Canada’s Cybersecurity Ecosystem

This is one in a series of related short essays for 2015 about the unrelenting cyber stresses every person and every organization now faces. The first essay, Cyber Risk, Security & Privacy (CRSP)  – Waterloo Region’s Vibrant New Business Cluster, appeared in the December, 2014 issue of The Triangle.

“We all have a role to play when it comes to cyber security.”
Steven Blaney, Minister of Public Safety and Emergency Preparedness[I]

The true extent of the cyber-privacy and cyber-security problems in Canada is not yet fully appreciated by the vast majority of Canadians and Canadian organizations. Take for example cyber ransom. Many have heard of it, but few think it will happen to them. The CBC’s David Common recently wrote: Ransomware victims pay cybercriminals to save family photos[ii]. He said:

“Theresa and Billy Niedermayer paid an $800 ransom to get precious family photos of their three young boys back from cybercriminals. Their home computer had been seized by one of the more malicious malware programs spreading fast around the world.” 

What is reported in the media is just the tip of the iceberg. The vast majority of breaches are not reported. This is especially true of small businesses with fewer than 100 employees. People and companies generally do not want to publicize the fact that they were victimized by cybercrime. This is why C3RM was established in the Fall of 2013.

C3RM Founding Members and Mission

The original ten C3RM founding members include: ABEX Affiliated Brokers Exchange Inc., ATS Automation Tooling Systems, Crawford & Company (Canada) Inc., CDMN Canadian Digital Media Network, Ernst & Young, eSentire, Miller Thomson, Root Cellar Technologies, University of Waterloo, and Watsec Cyber Risk Management. Two recent additions are TrustPoint Innovation Technologies Ltd. and Galt Resources.[iii]

Looking deeper, C3RM’s web site says it is:

“… an association comprised of businesses, educational institutions, industry associations, and other stakeholders dedicated to improving cyber risk awareness, developing and strengthening cyber risk management technologies, programs and practices. C3RM is more than an IT Security organization; rather, it is a Cyber Risk Management organization which includes both IT Security and Risk Management practices, including addressing the human factors in managing risk. This includes all things related to managing the inherent risk of using electronic data storage, communication systems, the Internet, and interconnected infrastructure and computerized control systems.”.[iv]

The CRSP cluster in Waterloo Region includes many organizations which focus, at least in part, on building and delivering outstanding cyber-privacy and cyber-security products and services for local, national, and international consumption. C3RM is an important part of that cluster, with a mission to increase awareness of the problems all organizations in the CRSP cluster are tackling.

Next time we’ll look deeper into how C3RM and its member organizations are helping address cyber-privacy and cyber-security both locally and abroad.


[i] Steven Blaney, “Minister Blaney launches Cyber Security Awareness Month at cyber conference”, October 3, 2014, Minister Blaney launches Cyber Security Awareness Month at cyber conference.
[ii] David Common, “Ransomware victims pay cybercriminals to save family photos”, The CBC, March 11, 2015, Ransomware victims pay cybercriminals to save family photos.
[iii] Canadian Centre for Cyber Risk Management.
[iv] About C3RM.