Part of Your Security Posture is Making Sure Your Managers Aren’t Jerks

According to the Ponemon Institute’s 2018 Cost of Insider Threats: Global report, of the 3,269 insider incidents that Ponemon investigated, 23 percent were caused by “criminal insiders” (as opposed to careless/negligent employees or contractors, or credential thieves). These malicious insiders can wreak all sorts of havoc, including theft of customer records, trade secrets or competitive information; and they can create enormous liabilities for their employer in the wake of their departure, such as triggering regulatory audits or fines for violating customer privacy.

So, why do employees become malicious and what can be done about it? Reviewing advice from a variety of sources reveals that most of that advice focuses on checking employees: check their background before they’re hired, monitor their behavior for signs that they might become malicious, and so forth. However, Osterman Research believes that companies should also focus heavily on their managers and monitor their behavior. For example, do managers in your company berate employees in front of their peers? Do they give them poor performance evaluations that are not justified? Do they demonstrate that they have “favorites” among their subordinates? Do they enforce company policies differently for some employees than they do for others? Do they insult their employees? In short, how well do your managers treat those that they manage?

Understanding management behavior is key. A study from several years ago by the law firm Drinker Biddle and Reath found that employees who are treated poorly by their managers will be more likely to commit fraud, intentionally breach data, and otherwise violate corporate policies.

What should employers do? There are several things:

  • Monitor managers’ email and collaboration accounts to uncover instances of morale-destroying behavior.
  • Monitor their personal social media accounts to uncover posts that undermine employees, the company or others.
  • Conduct anonymous employee surveys to get some honest opinions about how managers are treating their subordinates.
  • Monitor employee accounts for signs that their managers are treating them badly.

Of course, the goal is not to conduct a witch hunt or to undermine the morale of corporate managers. But bad managers create bad employees, and that significantly increases a company’s risk profile.

How Secure Can Your Company Be?

Last week, Cisco released an interesting report entitled Maximizing the value of your data privacy investments. Among the various findings from the in-depth, 18-country survey discussed in this report is that organizations that are mostly or completely enabled to satisfy the compliance requirements of the European Union’s General Data Protection Regulation (GDPR) had a significantly smaller number of data breaches during the past year than their counterparts that are least prepared to satisfy the requirements of the GDPR.

One one level, that’s good news: 89 percent of organizations that are not yet ready for GDPR experienced a data breach, while only 74 percent of GDPR-ready organizations experienced a breach. Clearly, GDPR is having a positive impact on data security.

Then again, that’s not particularly good news: even after going to the significant expense and difficulty associated with GDPR compliance, 74 percent of organizations still experienced a data breach! Of course, we would expect that figure to drop in the future given that the GDPR went into force only about eight months ago, but three in four GDPR-ready organizations still experiencing a data breach is very high.

This kind of result prompts a bigger question: just how secure can any organization be in the context of security? Given that we face a well-funded, intelligent, and collaborative set of adversaries in the cybercriminal community that will always have a guaranteed advantage (we need to protect every point of ingress while they need to break into just one), what is the lowest possible number of data breaches, malware infections, account takeovers, successful DDoS attacks, etc. that we can ever hope to achieve? Could a large organization not experience even one data breach in the course of a year? Could it not experience even a single malware infection? Could it prevent every insider threat? Could every CFO recognize every CEO Fraud attempt?

Probably not. So what is the target at which we’re aiming? A senior executive team or board of directors that is asked by the CIO for a 20 percent budget increase to improve security probably should know what they can expect to gain from that kind of investment. A vendor marketing a new technology to combat CEO Fraud or account takeovers would find it beneficial to their sales and marketing efforts if they could provide some concrete metrics about what their prospective customers could hope to gain by implementing their solution. Vendors of security awareness training would be well served by being able to report an X-percent reduction in successful phishing or ransomware incursions after employees were properly trained.

In short, it’s highly unlikely that any organization will ever reduce the success of cybercriminals’ efforts against them to zero. But what can we reasonably expect to achieve?

Best Practices for Dealing With Phishing and Ransomware

We have just published a white paper on phishing and ransomware that we welcome you to download and review. Here are some of the key takeaways from the paper:

  • Both phishing and crypto  ransomware are increasing at the rate of several hundred percent per quarter, a trend that Osterman Research believes will continue for at least the next 18 to 24 months.
  • The vast majority of organizations have been victimized by phishing, ransomware and a variety of security-related attacks during the past 12 months. In fact, phishing and ransomware are among the four leading concerns expressed by security-focused decision makers as discovered by Osterman Research in the survey conducted for this white paper.
  • Security spending will increase significantly in 2017 as organizations realize they need to protect against phishing, ransomware and the growing variety of other threats they face.
  • Most organizations are not seeing improvements in the security solutions they have deployed and in the security practices they follow. While many of these solutions are effective, most are not improving over time, in many cases because internal staff may not have the expertise to improve the performance of these solutions over time. On balance, only two in five of these solutions and practices are considered “excellent”.
  • Security awareness training is a key area for improvement in protecting organizations against phishing and ransomware, since our research found that organizations with well-trained employees are less likely to be infected.
  • There are a variety of best practices that organizations should follow in order to minimize their potential for becoming victims of phishing and ransomware. Among these best practices are implementing security awareness training, deploying systems that can detect and eliminate phishing and ransomware attempts, searching for and remediating security vulnerabilities in corporate systems, maintaining good backups, and using good threat intelligence.

You can download the paper here.

As an aside, I will be attending the Virus Bulletin International Conference next week in Denver and encourage you to do likewise if you’re at all focused on security. I have been to this event before and can vouch for its tremendous value as a place to learn about trends in cyber security and to advance your education about all things security.

You Need to be Concerned About Targeted Email Attacks

Targeted email attacks are a serious issue for organizations of all sizes and across every industry. Various industry research has shown that these focused emails are by far the number one initial attack vector for targeted attacks on enterprise data. In fact, they account for more than 95% of initial intrusions that lead to important data breaches. Moreover, Osterman Research found in a survey conducted during September 2014 that 47% of organizations considered targeted email attacks to be a very high priority to address and prevent, while only one in six organizations considers them to be a low priority.

While virtually all organizations have deployed security solutions that will block spam and known malware, most have not implemented solutions that will deal with the much more serious problem of targeted email attacks.

Targeted email attacks are not run-of-the-mill malware incursions. These attacks use sophisticated delivery techniques and advanced malware that will normally not be recognized by standard email and endpoint security solutions. Additionally, these attacks provide an entry point into the larger organization and its sensitive data, wreaking havoc on an organization’s finances, its intellectual property and its other sensitive or confidential data. Organizations of all sizes are the victims of these attacks and those that are successfully breached will experience critical business impacts, inclusive of damage to reputation, unexpected legal, regulatory and response costs and more.

We recently published a white paper about Targeted Email Attacks that discusses five key issues:

  • Targeted attacks and advanced threats that result in data breaches are most often initiated by targeted email attacks. While a great deal of press attention focuses on attacks directed against large retailers and other high-profile companies, all types of organizations regardless of size and industry vertical are being subjected to attack.
  • A single employee can be an entry point for a full-blown attack on the corporate network, sensitive data assets or financial accounts. Senior staff members like CFOs or CEOs are sometimes targeted in highly specific attacks, but the much larger attack surface is comprised of every employee in an organization.
  • Users must be the first line of defense in thwarting targeted attacks; they require thorough and ongoing training to detect the social engineering techniques that these attempted attacks are employing.
  • However, because targeted email attacks employ advanced malware, employee training is simply not enough – sophisticated technology to detect these threats is essential to prevent these attacks from achieving the loss of financial or other data for which they are designed. Further, while employees should serve as an important line of defense against threats, in many cases it is unrealistic to expect employees to keep abreast of every changing social engineering tactic.
  • Ninety-one percent of organizational decision makers do not wholeheartedly agree that their current email security solution is sufficient to protect them from targeted email attacks. This, despite the fact that security professionals understand the problem.

You can download our white paper on Targeted Email Attacks here.