What's scarier to businesses: losing data or hackers?

Filed Under: Data loss, Malware, Privacy, Social networks

Yesterday, the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) issued a press release revealing their survey results on accidental data loss vs hackers.

They surveyed 500 compliance professionals. The upshot of their press release is as follows:

- 70% said they were well or very well prepared to thwart network intrusions
- 61% said an accidental breach by an employee was very or somewhat likely

So, the conclusion is that employees are a big worry for companies, but hackers aren't.

Hmmmmmmm.....

In light of recent events - I am thinking of RSA's recent disclosure - these two areas of concern are perhaps not easily separated from each other.

data loss folder
Data is certainly the goal of many of today's organised attacks. And hackers want the easiest route in and out of a company. So, duping an employee though a social engineered communication and persuading them to assist (unknowingly) in infecting their work computer is a rather attractive approach.

Consider this scenario:
I find your details on a well-known recruitment website, called LockedIn, and find out stuff like your job title and company name. Then, I call you up, introduce myself as a recruiter for [insert well known respected company name here]. I explain that you have been highly recommended to us, and we want to send you additional information on [insert amazing job title at well known respected company name here]. Can you provide your email address so we can fire it over? Wouldja? Do you think any of your colleagues would?

Even if you are wise enough to avoid such a trap, I am sure you would agree that it wouldn't take too long to find a suitable victim.

Of course, the attachment I fire over is infected - perhaps with a zero-day exploit. Once the machine is infected and under a hacker's control, snarfling up permissions and sneaking around looking for key data, your company is up the proverbial creek without a paddle.

The importance of educating users
So, yes all employees are vulnerable to being duped through social engineered communications. But education can make us less attractive targets. I know - you are sick of hearing about how education can help, but narrowing the divide between the IT team and other employees is a key component to having more eyes watching out for suspicious activity.

If employees feel they can come to IT for advice and help rather than a slap on the wrist for doing something stupid, the company as a whole is much better off.

So back to our scenario: you get the job-of-a-lifetime attachment in your inbox, and perhaps you open it and it seems strangely unsuitable. If you get this niggly feeling that something isn't right, instead of closing it and forgetting about it, you call up IT and say, ‘something weird just happened - maybe you want to look into it’.

Multilayered defences needed
To fend off today's sophisticated multilayered attacks, you do need a multilayered defence. Technology (Anti-virus, firewall, DLP, encryption, patch management, etc) is obviously key, but so is user education: what to publish on social networks, what to avoid sharing with unexpected cold callers, emails and attachments. Together, these approaches will riddle the road to your sensitive data with difficult-to-overcome obstacles.

Sophos has more info on data loss, compliance, malware protection.

And also you can check out these free Sophos tools.

, , , , ,

You might like

One Response to What's scarier to businesses: losing data or hackers?

  1. Alex · 1296 days ago

    Under that scenario arent you assuming that there is no counterdefensive techniques on the IT side? My company recently stopped allowing active links in incoming email, so would that thwart the attack?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Hi. I am a social, brand and communications expert with 10 years in senior roles in the tech space. I'm currently Sophos' s Global Director of Social Media and Communities. Proudest work achievement? Creating and launching award-winning Naked Security. Outside work, I am a mean cook, an avid reader, a chronic insomniac, a podcast obsessive and blogger .