Late last year, Forrester released a report, “Understand the State of Data Security and Privacy,” which indicated reasons for data breach.
The report found that the leading cause of data breaches over the previous 12 months came from internal, not external, threats.
Most organizations spend the majority of their security budgets protecting against external threats while often ignoring their internal threats.
Many credit unions external penetration tests and vulnerability scans in place to help guard against data loss from outsiders that are especially interested in financial or customer data.
But you must consider internal threats to your network, too. According to the Forrester report, 36% of breaches over the previous 12 months were a result of inadvertent misuse of data by employees.
The study also reveals that 57% of employees polled were not aware of their organization’s security policies.
Not only do employees need to know your credit union’s security policies, it is important to minimize the amount of damage that can be done by a rogue employee or by a simple mistake.
You need to see what is going on inside your network, recognize patterns, and determine who has access to what. If a hacker successfully bypasses your front-level security, you need to quickly know how many employees have simplistic passwords that may be discovered via password-cracking programs, and what important pieces of information they may have access to.
In our experience, once given access to an organization’s internal network, analysts are successful in compromising the system most of the time.
This can happen a variety of ways. Most frequently, it’s the result of improperly secured network shares, default passwords, and incorrectly patched systems.
Internal penetration tests also expose flaws in design and in the configuration of an internal system. While not always exploitable, it can result in excessive traffic that consumes bandwidth.
When you are preparing your budgets for 2015, don’t forget to protect your internal networks, too.