For two years, a number of employees at Facebook and Google in the United States carried on financial transactions with a South Asian vendor named Quanta Computer, making payments for goods and services rendered.
Or they thought they did.
As it turned out, a Lithuanian national named Evaldas Rimasauskas ran an elaborate phishing scam. He impersonated Quanta Computer and demanded payments from Google and Facebook employees via phishing e-mails. Having swindled as much as $100 million between 2013 and 2015, he transferred the money to a number of banks located in countries like Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.
This wasn’t the first instance of company employees falling for phishing scams or rendering company systems vulnerable due to lack of cyber-security training. “I think companies need to be looking more broadly than that – not just at operational direct loss. Here’s the possibility of reputational damage. What does this say about internal controls over assets?” said Mary Jo White, a former head of the SEC to Fortune.
A recent report released by security firm Bomgar reveals alarming levels of negligence and lack of adherence to cyber-security protocols by company employees both in the United States and in Europe. The report deals with the level of administrative access which companies provide to their employees as well as to third party vendors, and how such access can put secure business data at risk.
As far as cyber-security hygiene goes, the Bomgar report reveals that as many as 69% of employees stay logged on to either their laptop or company accounts after work hours, 57% send work files to their personal e-mail accounts, 46% tell colleagues their passwords, 53% use unsecured Wi-Fi to access online data and in the UK, only 44% of companies have reviewed their policies on third party access in the last two years.
This is despite the fact that businesses are aware of the ills of lack of adherence to cyber-security protocols. Businesses are aware that employees may unintentionally mishandle sensitive data, fall victim to phishing e-mails or skirt security best practices to speed up productivity. Despite such awareness, only 37% of businesses have complete visibility into which employees have privileged access.
Back in April, an eye-opening Verizon Data Breach Investigations Report revealed that hackers are mostly targeting smaller businesses with less than 1,000 employees and are majorly exploiting weak or stolen passwords and poor security protocols. The report revealed the modus operandi of most hacking groups. Out of 42,068 incidents and 1,935 breaches, two-thirds of them were initiated via e-mails. Once gullible users clicked on links or attachments in those e-mails, hackers took control of their systems and installed malicious software to obtain protected or confidential data.
“Social engineering is a common means for cybercriminals to establish a foothold. And employees are making this easy by using easy-to-guess passwords. Users, and even IT departments, are even often guilty of not changing the default passwords that devices come with, and can easily be looked up online. This means a lot of the breaches we’ve seen were avoidable, if organizations had put in place some basic security measures,” the report added.
The Verizon report also touched upon the insider factor behind data breaches. It mentioned that 60% of all cyber-espionage cases involved people inside organisations, either to transfer data to a new employer, start rival companies or sell such data for money. The Bomgar report has termed insider and third-party access as top cyber threats for global organisations.
“It only takes one employee to leave an organization vulnerable. “With the continuation of high-profile data breaches, many of which were caused by compromised privileged access and credentials, it’s crucial that organizations control, manage, and monitor privileged access to their networks to mitigate that risk,” said Matt Dircks, CEO at Bomgar.
“The findings of this report tell us that many companies can’t adequately manage the risk related to privileged access. Insider breaches, whether malicious or unintentional, have the potential to go undetected for weeks, months, or even years – causing devastating damage to a company,” he added.