Ahmed Khanji, CEO of Gridware Cybersecurity, has told Emergence Insurance’s latest webinar for brokers that Gridware statistics suggested insider threats were a bigger risk than malicious or criminal attacks.
The latest OAIC statistics found malicious attacks were responsible for 57% of notifiable data breaches (NDBs).
Mr Khanji’s data showed malicious threats lagged behind insider threats. “Contrary to what’s being reported to OAIC, we’ve found employees are the greatest threat. Consider who has access to your customer lists and email contacts.”
He said a global survey found 87% of executives viewed untrained staff as the greatest cyber risk to their businesses, yet staff training was ranked high among categories to have made the least progress when measured against the US-developed, voluntary National Institute of Standards & Technology’s cyber-security framework.
Mr Khanji said many insider threats came from “phishing” incidents where people were manipulated by emails that tricked them into disclosing or changing passwords.
Emergence Head of Sales Gerry Power said OAIC’s latest report found human error was responsible for 37% of NDBs. “As humans, we keep finding new ways to make mistakes,” he said. “But, with sound risk management in place, many breaches can be prevented. Employees are the last line of defence, they must be educated to identify such things as dodgy emails and suspicious invoices.”
Medical data was particularly vulnerable because it sold for nine times more than financial data on the dark web.
Mr Power said managing data breaches was critical to business survival. Mr Khanji agreed, saying reputation damage was the biggest loss. “About 85% of people won’t do business with companies that have had known data breaches. Facebook is now one of the least trusted companies in the world.”
Mr Khanji said organisations needed good firewalls to guard their networks; strong anti-virus software; endpoint protection for all devices; and intrusion detection and prevention systems that inspected all inbound and outbound activity and blocked suspicious activities.
“A hacker can be in your system for 200 days before being identified,” he said.
Mr Khanji said protection methods included:
- Strong passwords, long enough to prevent brute force attacks
- Two-factor authentication
- Not sharing passwords across multiple devices
- Regular testing and auditing of company policies and procedures.
Emergence Managing Director Troy Filipcevic distinguished cyber threats from social engineering, which used psychological manipulation to get people to divulge information using trickery, deception and impersonation.
He said social engineering was targeted, sophisticated fraud where trust was built and human weaknesses exploited.