Insider threat has been proven to be the most pervasive and costly way that organizations are deprived of their critical information assets. Couple this with a careless cybersecurity compliance program and you have the recipe for disaster.
Here’s an actual very scary scenario
Recently, a couple of individuals from this organization’s IT staff met in the company break room for a cup of coffee and an informal work-related chat. During the course of this chat, it was discussed how this company has not been keeping up with its privileged account access reviews:
IT Individual #1: “I need to get access to the external firewall to make some needed updates, but my account was closed some time ago. Any suggestions?”
IT Individual #2: “Sure! We haven’t changed that password in a dogs’ year. It’s “<password-name>”
IT Individual #1: Great Thanks! Just what I needed to get this change done asap.
These two individuals were speaking in a rather loud volume in a relatively small break room. Behind them, another individual had wandered in and listened intently to this conversation, taking some quick notes in the process.
Long story short; the password was quickly sold and in a short time, this organization’s entire corporate network was made open and accessible. The intruder used the overheard password to access the firewall, change the password to one of his own choosing and then make some changes that allowed only certain external traffic originations to pass through to the internal network.
I think you can guess what happened next.
Cybersecurity Principles 101
This true event brings into play several cybersecurity principles of key importance ̶. the need of every organization to have:
- Security awareness education on insider threat and the proper disclosure of confidential information to other individuals.
- Security awareness training on what to and what not to discuss in an organization’s public spaces.
- Strictly designed and enforced Privileged Access Control to critical network infrastructure assets.
What is your organization’s cybersecurity compliance posture? Are you the next “Scary story”?
Test Your Defenses
Privileged Access Control and comprehensive Security Awareness Training are just two of dozens of current cybersecurity framework best practices against which we can test your organization’s defenses.
If your organization doesn’t have the internal bandwidth to perform a thorough analysis, consider employing the services of an experienced Cybersecurity Compliance Consultant who can obtain the desired results with minimal impact to your staff and operations.
Fill out the form below to get in touch with us for additional information.