The most recent, and what some experts are calling the worst hack on a major social media platform, took place earlier in July, with prominent US figures targeted in a Bitcoin scam.
Twitter has admitted that the criminals had gained access to the verified, high-profile accounts through Twitter employees, stating that it was a “co-ordinated” attack targeting its employees “with access to internal systems and tools”. The Senate Commerce committee has ordered that Twitter must brief the committee’s staff about the hack no later than Thursday 23rd July.
Whilst it is not clear what tactics the criminals used to gain access through the staff members, it is clear that the ‘insider threat’ is one that is not going away. Indeed, as a result of the COVID-19 pandemic, employees are a potentially more exposed route for criminals to take advantage of. For many working outside of the corporate environment for the first time, unsure of, or simply ignoring the safety protocols that are usually in place.
There has been a clear rise in criminals using employees to gain access since the beginning of the year. The 2020 Global Encryption Trends Study has shown that 54 percent of respondents identified employee mistakes as the top threat to sensitive data, by far the biggest threat with system or process malfunction (31 percent) and hackers (29 percent) following someway behind.
However, as AJ Thompson, CCO at Northdoor explains, a majority of the insider threats are not malicious but simply a case of employees not being fully aware of the risk or the nature of the threat.
“A majority of the insider threat incidents are not malicious but negligence or a lack of education from the employee,” said Thompson. “The Ponemon Institute have said that more than two out of three insider threat incidents are caused by negligence. This is a huge amount, and one of course that can be rectified with a few simple steps.
“Certainly, it seems that criminals have been taking advantage of employees working outside of the corporate network. This increased threat and success rate for criminals is due almost entirely to employee negligence; whether this is being slightly more relaxed with their security routines, being unaware of threats and what they look like, or using equipment that is no longer supported, it is unclear, but what is clear is that communication is key here.
Communicating the importance of data and securing it has to be high on an organisation’s agenda, alongside finding technological solutions to combat it. The key is how you communicate. Bringing employees along the journey of implementing new technology and highlighting the importance of following security policies is crucial – especially at this time.
Part of gaining this buy-in is industrialising the process of data protection. Taking away the emphasis on individuals and manual processes and automating data collection and protection is a crucial step to secure employee buy-in.
By emphasising the importance of sticking to security guidelines and being aware of the latest threats and the methods that criminals are using to infiltrate infrastructure, as well as bringing them on the journey of implementing new technology, ensures that employees are more aware of doing the right thing at the right time,” concluded Thompson.