Companies not focusing on internal cyber security threats

Graham Cluley, an independent IT security researcher, has said that businesses need to take internal IT security threats more seriously, as not all cyber threats originate externally.

Mr Cluley said that most companies focus on external cyber security, as they believe that hackers, cyber criminals and state-sponsored cyber attackers are the biggest threats. However, these companies forget that employees who have access to sensitive company data can also pose a major security risk.

He cited the example of the insider cyber security scam carried out by US-based brothers Eddie and Tommy Tipton. The brothers had insider knowledge and access to IT systems to improve their chances of winning the state lottery in Iowa. Eddie Tipton, who worked for the lottery company, won the large jackpot after tampering with the software that picks random numbers. However, CCTV footage caught him buying the ticket in complete contravention of company rules, which forbid employees from buying lottery tickets.

Mr Cluley said that the Tipton case reveals that companies should not have complete faith in their IT staff members, as they have the means to hack and access critical data without anyone’s knowledge.

He added that some companies themsevles are not trustworthy, pointing to the dating site BeautifulPeople.com as an example. The site issued a press release claiming that hackers compromised its in-house approval process to allow people who did not meet the company’s standards to join as members.

Mr Cluley and other independent IT security professionals and researchers investigated the claims by BeautifulPeople.com, which were untrue and revealed as a gimmick to generate publicity.

Shortly after this incident, BeautifulPeople.com experienced a real attack, resulting in the exposure of 1.1 million user records. Mr Cluley said that when this happened, the company did not issue a press release and tried to brush things under the carpet.

These examples reveal the importance of organisations focusing on external and internal IT security threats equally if they want to safeguard themselves in a digitally connected world.

You may also like