According to the 2019 Cost of Data Breach Study by IBM Security/Ponemon Institute, the average total cost of a data breach has increased by 1.6% from the previous year and 12% over the past 5 years. Data breach now costs businesses an average of $3.92 million. The average size of a breach is 25,575 records containing sensitive and confidential information. Each record costs about $150 on average globally and $242 in the U.S. (scasecurity.com)
Insider Threat Detection is the new Data Breach Prevention.
Let's take a look into how various insider threat types occur. Especially in today's remote work environments. The hot-topic of the Twitter Hack. A social engineering scheme with a spear so sharp, they gained access to even verified accounts.
Prevention is the New Detection
The recent Twitter attack that led to the compromise of some of the most popular accounts on Twitter, including; Barrack Obama, Joe Biden, Jeff Bezos, Elon Musk and over 130 other prominent accounts, is just one of a string of successful social engineering compromises that are now occurring daily and costing businesses millions of dollars on average per incident. One story after another with the same premise, an attacker has successfully identified and compromised employees at XXX company by employing social engineering tactics”. (infosecurity.com)
97% of corporate cyber attacks use social engineering as a main component of the attack.(datafloq.com)
What is rarely discussed is the epidemic of personal information sharing across digital channels that exposes that context that improves the attackers chances of successfully compromising corporate systems.
Let’s look at some numbers.
Nearly 6000 individuals on Linkedin publicly list Twitter as their place of employment. From those employees:
- 294 list their job title as account manager.
- 76 people publicly list they work in IT.
- 65 people publicly list they work in security.
From these individuals the majority have other social media accounts across Facebook, Twitter, Instagram, and others that are easily and quickly traversable to develop more personal context around relationships, interests, and activities. All of this information provides the necessary ingredients to develop tailored social engineering campaigns against specific employees that lead to high percentages of compromise.
The issue is the attack surface is spreading across infrastructures that corporations have very little insight or control. Why are corporations not taking the security implications of social media and personal information exposure more seriously? Or better yet can corporations take any steps to mitigate these risks and if they can, how would they accomplish this since it is across non-company controlled services.
A quick search for corporate social use policies illustrates part of the problem.
They all lack detail on what secure social media practices look like and what actions users should take to improve their individual and therefore company risk factors. The malicious insider threat looms for those that don't operate with a security by design or
data security mindset, first. Especially for those who access sensitive data or systems and controls.
Download PiiQ Risk’s policy template for a free, more actionable Corporate Social Media Use Policy. Our software not only syndicates the cyber risk management, monitoring, & training but also helps manages implementation flow to keep employees compliant! And company data secure.
Incorporating and promoting a new use policy within an organization doesn’t ensure employee adoption or comprehension. PiiQ Risk also provides the tools and service to score individual and corporate risks related to social media exposure as well as monitor for employees for policy adoption. Additionally PiiQ Risk provides the only truly contextualized spear phishing simulations to test employee awareness and defenses against more advanced attack tactics.
Corporations can not hope to improve defenses against attacks without addressing the amount of information that is being exposed across social media and used against the organization in attacks. Contact PiiQ Risk today for a free trial.