The Cyber Enemy Within

The cyber threat is not just external. Do not assume that once a visitor walks through the front door of the building that they are a neutral. I have seen cases where a visitor comes in for a meeting with a company only to leave a USB thumb drive with a virus or key logging software, which takes individual key presses and transmits them to a server on the outside. As a result every time an employee logs in her user ID her password can be captured.

Separation of roles and responsibilities is another area that is ripe for exploitation when people identify weaknesses in internal organisational processes. Some organisations still don’t have the right processes in place to take away the access to staff as they move around. The fact that someone might have access to both sides of finance so they are in accounts receivable and in payments is a risk that needs to be identified. There is usually separation of roles and responsibilities so in that instance you need to have robust procedures in place.

The point I am making is don’t just think that it is hackers or nation states that are going to be hacking you. 21st Century business also need to protect themselves against employees that have left the organisation on bad terms or following a round of redundancies. If someone feels aggrieved by the process they went through people can be motivated in different ways to respond.

Although this has always been a risk it is now magnified by the development of modern technology that connects social media and communities in ways that can be far more harmful to brand reputation.
 
So the key steps are identify your assets that you want protect and identify what you are protecting them against. Ask yourself how you are going to protect your assets? That is the key aspect of the identify stage of the NIST cyber security framework.