The problem is in the walls
Most companies, large and small, can be forgiven for thinking that data breaches and instances of hacking are caused by pimple-faced basement dwellers staring bleary-eyed into a dozen monitors in the middle of the night.However, they would be wrong for thinking so. An increasing number of studies are showing that the greatest threat to a data breach is, in fact, sitting between the chair and keyboard in your office.
Studies show 48% of data breaches and hacks into small businesses are due to human error on the part of the company’s own employees. The employees either lose data, trust people they shouldn’t, click on that all-too tempting link on the phishing email, the list goes on. And what’s worse, only 28% of the same small businesses surveyed, according to these same studies, have anything resembling an official cybersecurity plan in place. Many of these businesses sincerely believe they cannot afford to have one, because they lack the infrastructure, they simply don’t have the time, and every other excuse under the sun. The irony of the whole situation is that once a company has suffered a data breach, the costs multiply geometrically. What would have cost $6,000-$7,000 for an penetration test would balloon to hundreds of thousands, even millions of dollars in lost revenue, lost customers, rising insurance premiums, and most small businesses never recover.
A great example of this was a former client. I won’t divulge their name or what industry they were in. They had me come in for a penetration test, and I did all my testing, giving them the report of all my findings at the final meeting, as well as recommended fixes for the vulnerabilities I found, and discussed the most major findings. They glad-handed me, thanking me for the thorough report and what I found, and I told them I’d see them in a year or so to schedule their next one. A few weeks later, I heard from the grapevine, that not only did they fail to heed any of the advice in my report and recommended fixes, but one of the very vulnerabilities I discovered was used to siphon $100,000 from one of their main escrow accounts. The vulnerability was due to a single secretary having access to financial information they shouldn’t have, and the hackers, upon gaining access to their system, cracked the secretary’s (very easy) password, accessed the files containing their bank account information, transferring it out of the country. Upon discovering that the money was missing, they naturally believed this secretary was the culprit, but quickly realized it couldn’t have been the secretary since they were on a cruise during the time this breach took place. By the time they realized this, however, the money was long gone.
This emphasizes not only the need to have a sound cybersecurity policy in place, which includes training people on what to do and what not to do with their access, having stronger password policies, not to mention actually following the recommendations of the experts hired to come in and tell you what you need to fix in your systems.