Verizon released its 2014 Data Breach Investigation Report (DBIR), which analysed 10 years' worth of data and security incidents, in April this year. According to the report, internal employees are a viable threat to most organisations, as indicated by the fact that nearly 12,000 of the breaches that occurred between 2013 and 2014 being insider-related. In an interview with Computerworld Singapore, Ian Christofis - head of pre-sales and solutions, global consulting and integration services for APAC at Verizon Enterprise Services - explains why this is so.
According to the report, privilege abuse is the top threat action when it comes to insider misuse. Since this not exactly a new issue, why are organisations struggling to prevent this?
There are two components to this. Firstly, we do not believe that privilege abuse as an instance of insider misuse has increased significantly in 2013. Rather, we have gained increased visibility on such instances as a benefit of having more contributors — from 50 organisations in 2013 as compared to 19 in 2012 — to our dataset.
Having said that, privilege abuse is difficult to prevent as employers grant system access privileges to employees who have demonstrated that they can be entrusted with them. This is not a system error, it is a human error that exploits the fact that targeting users is easier and requires far less technical expertise than targeting the system.
This also reiterates the point that the DBIR stresses about the importance of user education and proper monitoring and detection processes in ensuring that data breaches resulting from human errors are mitigated.
The report also indicated that weak or stolen credentials remain the number one way to gain access to information. In terms of passwords, does the onus fall on organisations or users to ensure that they have strong passwords?
Passwords are widely used because they are the easy default for software companies and enterprises to implement. But passwords are inherently weak because they are so easily copied if discovered, and also hard for end-users to use securely.
It is very difficult and impractical for end-users to follow the standard advice that they should chose very random unmemorable passwords and not reuse passwords across websites and systems. We have much better authentication technology available. A good example is One-Time-Passwords implemented on a mobile phone app. This is much stronger than a simple password, easy for end users to use, and low cost due to the penetration of smartphones.
As an IT industry, we should stop blaming end users when we give them poor tools. We should give them strong but very usable authentication technology.
As employees today are pressured to be constantly connected, they might have turned to unapproved apps such as Dropbox or devices such as USB drives for work. How should organisations then embrace mobility while reducing security risks such as data loss?
Organisations can use solutions that provide secure access to corporate email and other services on employee personal devices. These solutions keep the corporate data encrypted and keep a strong separation between corporate data and personal data.
Sign up for Computerworld eNewsletters.