Tag Archives: Sony

Cyber Risk on the Inside

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in  this I.I.I.  paper on  cyber risks.

Sony Cyber Attack Breaks New Ground

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment–Sony’s second major hacker attack in three years–and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies,  causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”

And:

Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked–the Pentagon’s secret network, the White House, JPMorgan–it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.