More often than not organisations are warned about security incidents that make the headlines tend to be about catastrophic technology failures or breaches caused by nefarious actors. However, what business leaders need to realise is that sometimes the most dangerous threats could be right under their noses.
The human factor plays a critical role in cybersecurity, with figures suggesting that human error is responsible for more than 90 percent of breaches.
For companies, this means that a major concern has to be the actions of their own employees, who can frequently – either deliberately or unwittingly – be the cause when things go wrong.
Latest research – some of it in the UAE and Saudi Arabia – by the US-based cybersecurity company BeyondTrust, which produces privileged access management tools, indicates just how much of a problem that employee breaches can be.
The Privileged Access Threat Report 2019 is the fourth report of its kind, and the research behind it – based on surveying the views of organisations in sectors such as government, manufacturing and retail – helps to highlight issues that are of particular concern in the Middle East.
In the UAE and Saudi Arabia, 62 percent of respondents were concerned about the intentional misuse by employees of sensitive data for personal gain. In the Asia-Pacific region, the figure was about the same, at 64 percent.
These figures were significantly higher than those for some other parts of the world, notably Germany, where 44 percent of respondents said sensitive data misuse by employees was a concern, and the United Kingdom, where the figure was 55 percent. So, what is behind the difference?
“I think it’s cultural, I think it’s values. It might be the law as well,” says Morey Haber, BeyondTrust’s chief technology officer and chief information security officer.
“Ramifications [for data theft] in somewhere like Germany are significantly worse. In the Middle East the laws for physical theft are much stricter, but data theft does not have the same perception,” he says.
In Western Europe because legal punishments for data theft are likely to be much stricter, companies are likely to worry less that their employees are abusing their data.
Tying in with what might be seen as a less rigorous approach to data issues in the Middle East, just 28 percent of businesses in the region were worried about employees downloading data onto a memory stick, compared to 42 percent in APAC.
Another major geographical difference was the extent to which companies were aware of how many IT devices were accessing their network.
Worldwide, of the survey’s more than 1,000 respondents, 76 percent were confident that they knew the number accessing their systems. However, there was wide divergence between the Middle East and some other regions.
In Germany, 85 percent of companies were confident about their knowledge of the number of IT devices accessing their systems, while in the Middle East it was just 70 percent.
“It’s a very big difference between the regions and potentially a problem,” says Haber.
Worldwide, 64 percent of companies believed that, in the past 12 months, they had had a direct or indirect breach from misused or abused employee access.
More than seven in 10 organisations agreed that restricting employee device access would improve security – but acknowledged that this was not realistic.
The report highlighted concerns over bring your own devices (BYOD), where employees use their own equipment when accessing a company’s network. Globally, 57 percent ranked this as a threat, only fractionally behind the numbers concerned about insider access (58 percent) and hostile external threats (61 percent).
Professor Ernesto Damiani, from the Department of Electrical Engineering and Computer Science at Khalifa University in Abu Dhabi, also feels that BYOD is a key vulnerability, saying that it can be “asking for trouble”.
“Bring your own has not only been tolerated but encouraged. It’s typical for large organisations like hospitals and companies which are not particularly computer savvy,” he says.
“This is normally one of the biggest threats. It’s seen as saving money for the company, but it’s the way that the solitary guy, the solitary hacker infiltrates the network easily.”
Given the vulnerabilities outlined in the survey, what else should companies do to secure their systems?
Damiani says the best strategy is to “limit the privileges [of employees] severely,” only providing them with the privileges that they need to carry out their jobs.
“It’s a key precaution,” he explains. “Don’t allow more people to have more privileges than they need. If you cannot do anything, you cannot do harm.”
Such a strategy is not always popular with employees, especially senior ones, who may feel that they have more right to privileged access than anyone.
Damiani says that such senior employees are the ones who it is most important to restrict the privileges of, since they are more likely than other staff to be targeted.
BeyondTrust says that its privileged access management (PAM) tools can help companies to secure their networks in the face of threats from employees, vendors and contractors.
A suitable number of integrated PAM solutions can, according to the company, leave productivity unaffected while at the same time offering better visibility and appropriate control of “privileged insiders” and vendors.