Information Risk and Human Resources
Which cyber security breach could cause you the most pain this year?
“Just when you thought it was safe to go back in the waterâ€¦” must be one of the most parodied film lines of all time. Surely things couldn’t get any worse for the citizens of Amity back in the 1970’s – but they did. Fast forward to December 2014 and the executives at Sony Pictures must have felt the same way. But cybercriminals, like sharks, are lethal hunters and it did get worse, much, much worse.
As it turned out, what was initially thought to be commercially damaging really only scratched the surface. Far worse was to come in terms of leaked employee data and embarrassing internal memos – not to mention a diplomatic tussle with North Korea.
Like many victims of cyber crime, big or small, Sony had little idea what breach was coming next. Cyber attacks often remain undiscovered for some time – from several months to even years. That gives cyber criminals a lot of time to do a lot of harm – and gain considerable knowledge before they are even detected.
The whole saga got us thinking – just what kind of security breach causes the most pain? Here’s our list of potential cyber horrors and possible consequences – with a little help from Sony.
Loss of intellectual property
Some reports suggest that Sony may be forced to write off over $80 million in film assets after five films including Brad Pitt’s WWII ‘Fury’ were stolen and made available by hackers ahead of release. Fury was illegally downloaded over 1 million times in just one week.
Sony may well be able to shoulder this loss – but what about smaller businesses and particularly those whose products are digital? Imagine the damage caused if a publisher were to find their IT systems had been hacked and their paid for content released to anyoneâ€¦
Commenting that cyber crime’s effect on intellectual property is particularly damaging, Computer Weekly stated that 93% of large UK corporations and 87% of small businesses reported a cyber breach in the year up to June 2014. On average, breaches cost large businesses up to £1.4m and small businesses more than £60,000.
Breach of employees personal data
Of all the editorial covering the Sony Pictures hack, one of the most compelling was written by a Sony employee. Entitled ‘I work at Sony Pictures. This is what it was like after we got hacked’ it paints a grim picture of the real human cost of an attack on a business.
“Seeing the faces of colleagues with families – they’re worried about their life savings, their retirement funds, their kids. It’s taken a toll, mentally… you always have to look over your shoulder. This is forever.”Sony employee.
Some Sony employees found that details of their bank and credit cards, pension plans and life savings, home addresses and even some medical records were hacked and available online. Having to change 30-40 personal passwords while dealing with the stress involved doesn’t have the best outcome on productivity or engagement.
Leaked salary details – and loss of 3rd party data
The last taboo in the workplace was always salary. You could work alongside a colleague and not know how much they were being paid – even if they did the same job as you. Not any more, or at least not at Sony. On December 1st, the pre-bonus salaries of the top 17 Sony executives were leaked – along with the salaries of more than 6,000 current and former Sony employees.
If that wasn’t damaging enough, Deloitte’s salary information also got tangled up in the hack. It was reportedly sitting on the computer of an HR person employed by Sony Pictures who used to work at Deloitte. This person apparently had some of Deloitte’s files saved on that computer.
In what may well be a legal and HR firestorm, the lawsuits against Sony by current and former employees have already started.
Lost, stolen or just careless use of mobile devices
Ascentor has already written several articles on the dangers associated with mobile devices , particularly those used by Generation Y . The rapid expansion of workers using their own laptops, smart phones and tablets for work purposes is here to stay and needs careful management.
As the case of the Deloitte worker who moved on to Sony demonstrates – organisations embracing BYOD (Bring Your Own Device) must do so with their eyes open and not take undue risk with their own data or that of their employees and customers.
Ultimately, it’s yet another example that people (of all ages) are an organisation’s ‘weakest link’ and can pose the biggest risk to information security – accidentally or not.
Rogue access to your CRM system
But what happens when data lost through an employee (or ex-employee) isn’t accidental? What damage can they do? Past research by Ascentor showed that over half of the UK workforce would be willing to sabotage their own employer through tampering with, stealing, leaking or providing misinformation. Further proof that information security is as much a people issue as it is IT.
Our research showed that the discipline most likely to cause information damage was marketing with 82% being prepared to sabotage their employer. That’s particularly worrying when marketing so often ‘own’ the CRM system – the customer ‘data engine’ of so many organisations.
CRM systems usually include customer data, such as email addresses, phone numbers and company decision makers. Therefore, rogue access can cause chaos among customers as well as the reputational damage of having to inform them that their data has been compromised. Even worse, you could see your data end up in the hands of a competitor.
And now for the good newsâ€¦
You can greatly reduce the risk of a cyber attack with these tips:
- Become Cyber Essentials certified. It’s a new initiative to reduce vulnerability to a cyber security attack that also demonstrates cyber resilience and level of compliance to customers.
- Make sure you use passwords that are difficult to crack. Our guide will show you what you need to do.
- Ensure effective training and cultural awareness of the damage cyber attacks can have backed up with robust information security polices that HR can use to discipline people.
- Develop a BYOD policy. Our 6 steps will help you manage your BYOD risk
- Engage a security consultant and have a security audit. First assess your risk with these 12 questions .
- Don’t send personal details and passwords by email
- Don’t use the same password for multiple services
- Apply software and antivirus updates as they become available
When you know the risks to be aware of – and how to respond – your organisation can focus its efforts on achieving its objectives rather than trying to put right costly security mistakes when it’s too late.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of cyber security, please contact Dave Jamesat Ascentor.
Office: 01452 881712
Other posts you might like:
For Further Information
If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.
Please use the contact details below - also found on our Contact Us page.