The Workforce: a threat to security

According to a report recently released by security firm Netwrix, humans are still the single biggest threat to business security. The report highlights:

“100% of government entities see their own employees as the biggest threat to security”

The survey was conducted across 723 organizations in over 30 industries.

Every year, more and more breaches are being uncovered. A typical example is the recently published pilfering of (supposedly) 1.5 terabytes of information from HBO. While this is an external breach, many breaches come from the inside, whether intentional or not. Data exposure is becoming more commonplace and is easily preventable.

In June 2017, Verizon confirmed that the information of up to 6 million customers was made available online. This was caused by a misconfigured cloud server setting and was attributed to “human error”. This leak exposed names, phone numbers, and some pin codes (used to confirm the identity of customers who phone their customer service centre). Surprisingly, the information was not leaked by Verizon, but by a third party who was contracted to facilitate customer service calls.

An almost identical “human error” exposed the personal data of millions of Dow Jones customers. According to security firm Upguard’s blog post, Dow Jones & Company’s repository had been set to semi-public and not fully public. Notwithstanding this fact, it is still a huge blunder.

The exposed data repository, an Amazon Web Services S3 bucket, had been configured via permission settings to allow any AWS “Authenticated Users” to download the data via the repository’s URL. Per Amazon’s own definition, an “authenticated user” is “any user that has an Amazon AWS account,” a base that already numbers over a million users; registration for such an account is free.

Upguard has been on a drive to identify and expose misconfigured datastores and to highlight the security risks that such exposed data poses. Amongst these stores was also one containing personal information of about 200 million U.S. voters.

Another huge failure of common sense goes to Tata Consultancy services (TCS) where a developer inadvertently exposed sensitive data linked to banking projects of at least 10 companies on Github, a platform used to manage source code for application development.

Back in 2015, three students from Saarland University in Germany found that almost 40 000 MongoDB databases were exposed to the Internet – one belonging to a French telecommunications provider that stored roughly 8 million records. MongoDB is a database designed for storing large data. It is easy to setup and access a database in the lab. By default, such databases are unencrypted and have no access control, a fact often forgotten when moving from development to production. Such lapses can be prevented by proper training and security awareness. It is up to those setting up sensitive information systems to make sure they are secured to the best possible levels.

All these exposures indicate that failure to follow due process, lack of knowledge, or carelessness is commonplace in the IT landscape. This exposes companies to undue risk and can potentially cause serious damage to their reputation, from which some may never recover. As in the TCS exposure, competitors had access to a wealth of information on their product roadmaps. Although not directly damaging to customers, such blunders could allow competitors to quickly catch up, or even surpass the products offered. This impacting a competitive advantage, which is key to customer retention and acquisition.

Human training at all levels is a critical requirement and must be constantly reinforced by facilitating ongoing training, awareness, and enforcing well documented policies and procedures.

Any failure to maintain cybersecurity as a priority for important data (particularly personally identifiable information) can lead to unwanted exposure. Such undue exposure can result in company officers being held liable.

The following two tabs change content below.

Andrew Smith

Andrew is a senior systems-engineer with over 20 years experience in corporate and small business environments. This includes consulting for large ICT service providers. He has supported systems at every level in the organization, including infrastructure, operating systems, applications, and perimeter protection. He also collaborates with software development teams on web, database, and infrastructure security. Andrew has co-founded multiple ICT businesses, where he advises on cybersecurity strategies and policies. Andrew has a 3-year National Diploma in Electronics (light current).

Latest posts by Andrew Smith (see all)