The Hacker On Your Payroll

By: Jim Fiorini

When most non-IT people think of hackers, they envision masked people in hoodies in dark rooms with codes scrolling across their screen trying to find ways to infiltrate your network. The reality is far removed from this picture.

While there are hackers who fit this description attacking large, high-profile data centers, statistics show that the vast majority of the daily loss of business data comes from employee activities.

Some of these employee activities are malicious, but many are simply operation errors in day-to-day activities. Many business owners are even surprised at how quickly critical data may be lost without any access or intervention on your network.


Unintentional Breaches

Unintentional breaches occur when employees open email attachments enabling the delivery of a malware payload onto your network.  Most attacks are an attempt to obtain revenue and not to simply corrupt your data.

These payloads typically hold data for ransom and once this is paid, you may or may not be able to recover your data completely if at all.  The prevalence of ransomware has gotten so bad, in fact, that debate began swirling around the internet about whether or not ransom paid for data is tax deductible.

An employee may receive an email from a senior executive that appears to be completely authentic requesting sensitive information.  One that comes to mind is the Accounting Manager who received an email from her boss requesting that copies of all employee W-2s be emailed to him.  As a good employee she promptly responded to the request.  The problem was -  the sender wasn’t her boss, but was very good at “spoofing” emails.

Long gone are the transparent hacking schemes with stories of inheritances and princes -  these hackers are incredibly sophisticated and effective at gaining trust.

Not all data loss is due to a breach -   For instance, CRM managers who inadvertently delete records or make mass updates that corrupt the records.  While unintentional, this mistake could cost thousands of dollars in lost productivity.

Similarly, mobile devices add to the vulnerable access points in an organization. Something as simple as leaving a cell phone at a café table can leave them vulnerable to having remote access credentials exposed.

To make matters worse, many times employees are unaware of breaches or do not notify anyone when they occur.  This can mean that a breach may go undetected for an extended period.


Intentional Employee Breaches

Remember back in the day when there always seemed to be a few dollars missing from the register every other Saturday?  How about the bank statements that were off by a fraction of a percent?

In today’s world, data breaches can cost exorbitant amounts of money in not only recovery cost, but also loss in productivity.  Employees who are strapped for cash or simply feel slighted have a ready source of income when they have access to sensitive personal information like Social Security numbers, addresses, etc.

Many sales organizations, for instance, have uncovered data breaches when a sales person leaves with CRM data. Ugly employee departures can result in not only the theft of such data, but also total corruption or deletion of the files.


Data Loss is not Just Limited to Your Network

It’s not unusual to have a common workgroup printer or copier being used by several people in a workplace.  When someone picks up their print job and it’s mixed with other output that employee, being a good corporate citizen, should place the other documents in the handy bin beside the printer.

Everyone now carries a high definition digital camera with them wherever they go.  These documents with client data on them are exposed to the cleaning people, copier technician, the water delivery guy, and a cast of thousands of non-employees who have free access to your spaces.  Exposed data plus high definition cameras could mean major loss of data.

The Real Cost of a Data Breach

There are the obvious costs.  The ransom.  Replacing the corrupted hardware.  Loss of productivity.  The cost for IT labor.  Loss of business.  These are small considerations considering the legal liability you may face.

If you are associated in any way with healthcare records like in insurance, litigation, or even medical supplies, once you have taken possession of patient information you are accountable.  The fines alone are intentionally painful and the civil liability may be huge.

The financial services industry is at risk for this as well.  You’re a small employee benefits management company handling the accounts for roughly 3,000 people.  Can you imagine the civil liability suit headed your way if all 3,000 records get out with Name, DOB, SSN, IRA balance AND account numbers?


The Cost of Prevention and Mitigation

Regardless of cost, it is always more important to be proactive rather than reactive when defending your data. Similarly, the ability to restore your network infrastructure to the nearest point before the loss will always be far less expensive than reacting to such an event.

Furthermore, in the event there is a data loss the severity of it will be greatly reduced, and you will have gone a long way in showing a good faith effort to protect your client’s data integrity.

As is typical of technology the costs associated with managed firewall, business continuity data recovery and employee training have come down significantly.  In addition, all of these services are scalable and easily deployed so there really is no reason to wait before exploring the options.

When it comes to data security, proactive beats reactive every time.


Jim Fiorini is a Managed Network Specialist for Edwards Business Systems who works closely with small to medium sized businesses in a variety of industries on data security, business continutity, and disaster recovery. Contact Jim to learn more about securing your network. 



Article Type: