By Marc Carletti, Head of Global Banking & Financial Markets, BT –
Securing physical and virtual perimeter IT borders to repel the threats of data breach or denial of service to your websites, mobile devices, servers, datacenters and applications is critical. Yet, some key questions of a cybersecurity best practice are often left ignored: Do our employees have access to information that they shouldn’t have permission to download? Do they have access to files after they have left the company? The answer may startle you.
A 2014 study stated that more than 40 billion dollars in losses were suffered by employees’ unauthorized use of computers. The private and public sectors were affected, both experiencing the consequences of stolen or misused data, the misconfiguration of IT assets by disgruntled employees, fraud, intentional data breaches and the distribution of private material via unauthorized access to private records. Not coincidentally, the number of information security senior managers who cited insider threats as their biggest concern increased to 73 percent in 2014 from 62 percent in 2013, according to an April 2014 survey by AlgoSec. Add to that the ever tightening web of regulation for non-compliance of protecting private records, and the focus on internal threats becomes clearer.
With this said, senior security executives must realize that the goal of achieving “total data security” is not possible. The security roadmap, resulting in a dynamic protected environment by allowing rapid change to people, processes and software to combat known threats, must begin internally. This includes an all-encompassing identity management program from day one of hire, strict controls and analytics for file access, a comprehensive mobile data access strategy and stringent hiring and ongoing background checks for employees. While the costs of cyber protection, response and mitigation are skyrocketing, the common sense strategy of “internal critical asset protection” should, at the very least, act as a guide to the CISO taking advice from an internal COE and/or their partner/consultant in the cybersecurity space.