We hear so much in the media about computer hacking, and our image is either of crack operatives from hostile countries, or of 18-year olds skulking in their bedrooms hacking into companies’ or government bodies’ systems for the sheer thrill of it.
The reality is generally far more mundane. In our experience, the majority of data breaches are carried out by company employees and other ‘insiders’.
This point was reaffirmed to us at KPMG recently by a man who should know. Keith Lowry, a US senior counter-intelligence officer and former adviser to the Pentagon, who led the external team that examined the effects of the Edward Snowden whistleblowing episode. This showed Mr Lowry how a well-trained insider could access and make off with the most sensitive of data.
Clearly Mr Lowry was unable to go into too many specifics on the Snowden case, but it did highlight, as do so many other cases, the comparative agility of the hacker compared to often clunky networks operated by government agencies and large companies. Internal silos are so often an issue, with responsibility being shared (and buck passed) between HR, IT, compliance, legal and other departments, while the perpetrator moves swiftly and unencumbered. This creates a real problem in terms of length of time it usually takes organisations to establish that a breach has occurred. Mr Lowry estimated this was typically 90 days for financial services companies and more than double that for other commercial entities.
Mr Lowry believes that the one third figure commonly given for the percentage of cyber-crime being carried out by insiders was actually understated. He believed the figure was much higher, as many organisations were either unaware or reluctant to report incidents. He added that 50 percent of companies admitted that inside breaches were more serious than those from external sources and 43 percent admitted they could not track user privilege to data. This is a worrying figure.
Ironically, because the degree of inside infiltration is under-estimated, companies often invest in the wrong area, typically building extensive ‘perimeter fences’ to combat external cyber-attack while the bigger threat lurks undetected. The key, Mr Lowry argued, was for companies to identify their true ‘crown jewels’ (an activity which is surprisingly rarely carried out) and to focus efforts on who has access to that key data. Normally intellectual property, the main target for criminal activity.
Organisations often find it hard to define the real jewels and so try to protect too much, leaving themselves open to the risk of effectively safeguarding nothing. Restricting the number of ways employees can interact with systems and networks is one way to make it easier to identify ‘insiders’ ‘exfiltrating’ data.
I agree with his analysis. In our experience, insider activity is more prevalent than external threats, and often company security systems prove not to be as good as the organisations had believed. Failing to retain control over your key data can lead to considerable loss both financially (an average $3.5m is an industry estimate) and even more concerning, reputational loss.
A recent KPMG UK report showed that investors are increasingly alert to the risk of cyber-crime and are now shunning companies which have failed to invest properly to prevent it.
Investors, the survey suggests would also like to see boards spend more time on cyber security.
To be fair, boards themselves already recognise the problem. KPMG International’s recent Audit Committee survey showed that cyber-security, together with the pace of technological change was the area that most worried boards both in terms of the time they had to devote to it, but more pertinently, the quality of information they felt they were getting from their companies. This is where the real issue lies.
It is incumbent on company management to demonstrate to their boards that they are bringing together the relevant departments to ensure a system of ‘red flags’ is established that identify who has access to their key data. It is not a case of just buying expensive systems. It is about showing real executive leadership and commitment to the issue of protecting your crown jewels. Anything less will leave the internal gaps open in which insider fraudsters thrive.