According to a recent article in the New York Times, “half of American adults had their personal information exposed to hackers last year alone. As more and more services, infrastructure, and personal information move online, they have all become targets for hackers, who constantly scan the Internet for potential security holes and entry points.” Other reports project cybercrime costs to exceed two trillion dollars by 2019. Some industries present softer targets. Out-of-date systems and budget shortfalls leave many government agencies vulnerable, which is why, as the National Journal reported, the U.S. government is preparing to pay at least 500 million dollars over the next 5 years to manage the cleanup after future hacks.
While the increased media coverage of data breaches the last few years has helped raise awareness, it often also makes it difficult to distinguish IT security myths from computer security facts. There’s no question that hackers make headlines. However, according to the IBM 2015 Cyber Security Intelligence Index, more than half of all security breaches are actually carried out by insiders, such as employees, contractors, and business partners. These parties don’t have to hack into sensitive corporate systems because they already have access. Sometimes malicious intent is involved, but the vast majority of security breaches caused by insiders are unintentional. The IBM research found that over 95 percent of these breaches were attributable to human error, such as accidentally posting confidential information on the company’s public-facing website, sending confidential information to the wrong party via email, or, as is increasing common in the age of the mobile workforce, the use of unsecured mobile apps.
Steps must obviously be taken to protect against hacks and other external attacks, especially with many organizations adopting an outside-in IT service delivery model by engaging managed service providers (MSPs). Just don’t forget to consider how often the call is coming from inside the house, so to speak. In many cases, it’s users, not hackers, that are the biggest security risk.
Organizations, with help from their MSPs, need to be more proactive about inside-out security. The biometrics market is growing, and has a lot of future potential, but in the here and now simply getting users to create stronger passwords is a big help. More MSPs are also requiring two-factor authentication, which, when combined with stronger passwords, greatly improves security. Leading MSPs realize that the S in MSP should also stand for security. As such, MSPs are becoming more rigorous about monitoring authorized access for unusual activity (e.g., administrative password changes) and suspicious behavior (e.g., data transfers at odd hours). Breaches are bad wherever they come from, but we need to do a better job protecting against an inside job.