Tales from the Unencrypted

That was a positive, triumphant moment, an event meant to make the audience cheer.

In our real world, however, it can often be quite the opposite, in these situations. Such is just one topic Erika Morphy addresses in her “More tales of security fails,” speaking of stories of cybersecurity risks in light of the Kreditech data breach.  A major and still often overlooked threat to companies comes not from external factors, but from employees within the organization itself.  It doesn’t even have to be a malicious action: something as innocuous as an end user unknowingly injecting malware into the network via an infected device, a view supported by Rick Kagan, vice president of marketing at Menlo Security.  In this case, injecting a Neo into that ‘Smith collective’, although, unlike in the movie, it would not be a good thing.

And with the steady increase of Bring-Your-Own-Device (BYOD) policies across various businesses, this vulnerability becomes all the more possible.  This doesn’t even account for the devices being lost or stolen as employees take them home with them.

Ultimately, as Morphy’s list states, all this reflects is simply that employees are very frequently the ‘weakest link’ in a company, when it comes to factors that can lead to damaging cybersecurity incidents.  Illustrating this, the article also cites Kagan that “between 30 to 70 percent of their employees still click links in test emails designed to see if users can recognize and avoid phishing attacks,” despite training programs a company may have in place, coupled with the seemingly endless stream of data breach headlines.

On the other hand, while these security fails are absolutely worth taking note of, it appears—and perhaps this isn’t really that surprising—that when it comes to the big companies, like a Sony or a Target, the damage done to reputation, to employees and their personal information, to consumer trust, etc., is not necessarily matched by financial impact.  Take Sony: Fortune reports that the company has estimated their total loss has been $15 million in investigation and remediation costs, and that it anticipates spending up to $35 million by end of the fiscal year.  Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs, says that this only represents between 0.9% and 2% of Sony’s total projected sales for 2014, while Target’s expenses of $252 million for their breach equal approximately 0.1% of their annual revenue.  So, not a lot.  At that price tag, a company might be tempted into deciding that paying after the fact is a simpler option than setting up comprehensive, preventative IT solutions—which would still leave employees at risk.

Vulnerabilities in businesses’ enterprise security networks, particularly those that are easily exploited (maliciously or no), are without a doubt a significant problem; even so, between those incidents and the news about the minimal cost to Fortune 500 companies, I’m not sure which is the bigger fail.

By: Jonathan Weicher