Let’s talk about staff, bay-bee

Let’s talk about you and me, and all the good things and the bad things that may be. Once you start thinking about cyber-security, you tend to focus on the external threat – the $450bn cyber-crime industry that is very definitely out to get you. They often succeed, too, and sometimes the cost is very substantial – just ask Target and Home Depot, or Yahoo.

However, security experts will tell you that the vast majority of your actual risk is internal – it’s staff behaviour, both wilful and negligent. Let’s remember that Target were compromised because an employee at a subcontractor fell for a phishing attack, and that Scoular lost $17m because their financial controller was taken in by some childishly-simple whaling emails.

Negligence and ignorance are definitely king, but malfeasance still gets a look-in. It’s queen, or maybe jack. If we’re talking cyber risk, the first thing that pops into most people’s heads is the disgruntled former IT manager who uses his or her skills to damage the organisation after a contested departure. And guess what? It actually happens. Here’s Brian Johnson of Baton Rouge, Louisiana, who disrupted his former employer’s systems to the tune of $1.1m of production losses.

There’s many more such stories, but if you want big numbers, you’re better off looking at data theft, especially when someone moves from one employer to another in the same sector. How about $500m for starters? – that’s what Facebook acquisition Oculus Rift have been told to pay Zenimax for stealing trade secrets. Or the current case against Ticketmaster, where it’s alleged they poached an employee from CrowdSurge, then used that employee’s systems knowledge to monitor Crowdsurge and compete with them unfairly. Damages in that case have yet to be assessed, but if it’s proven it won’t be peanuts.

The morals of the story are:

• Never forget internal risk when discussing security
• Have proper JLM (joiner, leaver, mover) procedures to make sure staff who leave are locked out
• Understand what your sensitive data is and take proper steps to protect it
• Make sure your employment contracts are really clear on ownership of data
• Monitor access to documents and systems, and traffic leaving your network

ps – if you don’t get the post title, you’re a millennial and I claim my five pounds. This is the song and this is the five pound reference and now I’ll stop explaining things before I become recursive.