Organisations face a series of cyber threats from within and from increasingly adept criminal actors, according to panel discussion attendees at PARIMA’s digital conference.
Suchitra Narayanan, senior vice president, enterprise risk at Lazada Group, chaired the discussion on cyber threats from within.
She said the year had been a “roller coaster, which has meant that the cyber threat is more real and more prevalent than ever”.
Paul Jackson, regional managing director, APAC cyber security & investigation practice leader at Kroll, told the panel that insider motivations could lead to malicious acts: “This is very much an ever-present threat right now.”
He said the threat could be deliberate or accidental.
“Inadvertent” breaches were common, according to Jackson, with 85% of breaches involving a human element.
“By inadvertent, I mean loss of equipment, the loss of a laptop, non-encrypted device or a thumb drive. A misdirected email sent to somebody that shouldn’t have received it, with a sensitive attachment. Or just simply as is very commonly the case, an employee falling for a well crafted, or a hard to detect, social engineering attack.”
Jackson said 95% of Kroll clients fell for “test” attacks conducted by the firm.
“Negligent” incidents were also common, he said.
“This is really more about laziness and carelessness. Unfortunately, this happens in our organisations. We get employees whose password discipline, for example, is lax. They choose easy passwords, or they’ll take shortcuts with security. In other words, putting the firm at risk to make their lives more convenient.”
“Uninformed” employees were also regularly guilty of causing successful hacks, he added.
“It’s ignorance. It’s a lack of understanding of cybersecurity data, privacy risks, and threats. Can you blame the employee for this? Well, partially but honestly speaking, it’s incumbent upon organisations to make sure that training is provided,” he said.
“Malicious” cyber incidents also posed a great risk, he added.
“This is one which we worry about perhaps the most because cybercriminals are increasingly seeking to leverage insiders’ privileged access to break into a company or to cause harm to a company. The motivation can be getting paid for it,
It was “critical” for companies to have strong governance to reduce the risk of human mistakes, he added. Regular testing, and running “tabletop scenarios” was also key, he said.
However, “even the best precautions are being circumvented by criminal ingenuity”, he added.
Parties agreed that leadership from the top was crucial in creating cyber resilience, and that annual online “tick box” exercises were not adequate on their own.
Joseph Yew, chief information officer at MSIG Asia, said that cyber resilience was a “team sport”.
“So we really have to invest in training for employees, to empower them in areas such as secure data handling, security, awareness, vigilance. We need to equip them so they become our ‘insider police,” Yew added.