Freely subscribe to our NEWSLETTER

The cost of the average data breach rose dramatically in the last twelve months[1],
with the average cost for companies increasing to $3.79 million once lost business,
compliancy fines and reputational damage are taken into account. To put it another
way, the average cost for each stolen record - often containing sensitive and
confidential information - is $154, a number not to be sniffed at. As a result
businesses are becoming increasingly concerned about protecting the sensitive data
that they hold within their business.

Businesses need to understand how cybercriminals are increasingly gaining access to
their internal systems before they can mitigate this risk. It may come as a
surprise to many of you, but the days of the brute force attack are over, now the
bad guys wishing to infiltrate your network are taking a much more calculated
approach. According to recent research by Intel[2], internal factors are now
responsible for almost half (42 per cent) of all data loss cases in the UK,
demonstrating that employees are often an organisation’s weakest link when it comes
to information security.

Most of this is down to phishing scams, where fraudsters attempt to acquire
sensitive information, for example usernames, passwords and credit card details or
steal money by masquerading as a trustworthy entity via an email, pop-up message,
phone call or text message. Once a cybercriminal has an employee’s password,
obtained by a phishing scam or any number of other common social engineering
techniques, they can access the entire corporate network and the sensitive data held
within it.

In fact it is getting so bad that UK-based Action Fraud reveals that it now receives
8,000 reports of phishing scams every month[3]. Email is by far the most common
attack vector with over two thirds (68 per cent) of people who reported a phishing
scam saying that is how they were contacted. This compares to 12.5 per cent of
people who said they were contacted by phone, 8.9 per cent of people who reported
that they received a text message and the rest claiming they were contacted in
another way.
The process of phishing is often very swift too. According to a recent report by
Verizon[4], it takes cyber criminals just 82 seconds to ensnare the average victim
in a phishing scam, with almost a quarter ( 23 per cent) of people likely to open a
phishing email.

Whether it’s down to human error, a phishing scam or an intention leak,
organisations of all sizes need to embrace employee education as part of their
security policies. Not only will this educate employees on the risk and potentially
crippling costs associated with data breaches, but will also provide insight into
the types of phishing scams that they are likely to fall victim to. By doing so,
employees will have an understanding of the risk that such breaches pose to the
organisation and be able to alert the IT team if they are being specifically
targeted.

The problem with phishing though is intensified by the fact that modern techniques
are getting increasingly hard to spot for even the savviest employees. Whilst
education of staff is important, it is also imperative to have a safety net so that
you can understand exactly how data is moving in, around and out of your
organisation.

Only by gaining greater visibility, analysis and control of all communications
channels can businesses mitigate the cost of sensitive data leaving the safety of
the organisation. To facilitate this, organisations need to be able to monitor each
employee’s use of corporate assets at the most basic level, regardless of whether
users are in-office or mobile. Solutions such as cloud application control (CAC)
solutions can provide businesses with this visibility and the ability to discover,
analyse and control the information staff are accessing or sharing.

With the added pressures of the digital transformation impacting how and where we
work, employees are increasingly opting to work outside of the traditional office
environment. Because of this businesses need to ensure that the right employees have
the right access to company information and systems, no matter where they’re working
from. With access privileges morphing depending on whether they are in, or out, of
the office. Multi-factor authentication can play a dominant role within an
organisation’s cybersecurity strategy to help facilitate visibility of the use of
cloud apps - authorised or otherwise - so that they can spot when a phishing attempt
may be leading to a sustained data breach and help mitigate the associated fall out.

[1]
https://www-01.ibm.com/marketing/iwm/dre/signup?source=ibm-WW_Security_Services&S_PKG=ov34982&S_TACT=000000NJ&S_OFF_CD=10000253&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=01512328606014640999746&cm_mc_sid_50200000=1464099974

[2] http://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf

[3]
http://www.actionfraud.police.uk/news/action-fraud-reveals-that-it-receives-8000-reports-of-phishing-scams-every-month-mar16

[4] http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/