Not enforcing
a company's intellectual property rights could adversely affect the company's
financial results. Intellectual property
rights, including patents, plant variety protection, trade secrets,
confidential information, trademarks, trade names and other forms of trade
dress, are important to the company's business.
Companies
must design and implemented internal controls to restrict access to and
distribution of its intellectual property. Despite these precautions, the
company's intellectual property is vulnerable to unauthorized access through
cyber-attacks, theft, and other security breaches.
Vulnerabilities
are aspects of
IT infrastructure that can potentially be exploited, leading to unauthorized
access, loss or exposure of sensitive data, disruption of
services, failure to comply with regulatory requirements, or other
unwanted outcomes. Vulnerabilities can stem from many sources, including: software
defects, improper configurations, human error.
Malware
refers to
malicious software or scripts designed to access or harm information technology
resources without their owner’s authorization.
Hacking
refers to
intentional attempts to access or harm information technology resources without
authorization by thwarting logical security mechanisms. Hacking is usually
conducted remotely, lending itself to attacker benefits of anonymity,
automation, and scale.
Typical Threat includes the following:
Blended
threats, which
are designed to exploit multiple channels for getting end-users to voluntarily
give up private information:
·
Phishing
refers to
seemingly innocuous email that contains links to malicious executables or web
sites; corporate, personal and web email are all active targets
·
Spear
phishing refers
to phishing that is directed at specific companies or specific individuals, in
which attackers gather additional information in advance to personalize the
email communication and thereby increase their likelihood of success
·
Vishing
(a combination
of "voice" and "phishing") refers to the use of fake phone
sites; e.g., the end-user may receive an email requesting that they call a
toll-free number, or they may receive a phone call requesting that they call a
toll-free number or visit a website
·
Smishing
(a combination
of "SMS" and "phishing") refers to the use of short message
service (SMS) text messages; e.g., the end-user may receive a text message
requesting that they call a toll-free number or visit a website
·
Drive-by
downloads, in
which end-users unintentionally download and install malicious executables, for
example:
·
By
end-users merely visiting infected web sites, or by end-users purposely
downloading and installing what they mistakenly believe to be legitimate
software
·
Attackers
are using search engine optimization (SEO) techniques to drive end-users
to web sites that are infected with malicious code
·
Shortened
URLs make it
even easier for attackers to disguise malicious links, and to exploit end-user
trust through social engineering
·
Anonymous
proxy servers,
which access Internet resources on behalf of the original requester, can be
used by attackers to hide malicious target URLs from web security monitoring
and filtering technologies
·
International
domain names that
contain no Latin characters have increased the opportunity for attackers to
exploit malicious, mixed-character URLs that are visually indistinguishable
from their legitimate counterparts
81%
of all data breach incidents leveraged hacking, 69% involved malware,
and 61% used a combination of both
97%
of data breaches could have been avoided through the use of simple or
intermediate controls
By not
implementing the right controls for access to data this creates an opportunity
for internal threats to occur within a business organization.
The
question is “are your employees selling you out to the best bidder or they just
plain ignorant to the fact that some activities are leaving company data
exposed to theft by a business competitor or opportunistic hacker."
Points of concerns that companies need to be ware of
include:
·
Password policies need to be implemented
infrastructure wide within an organization.
Complex passwords are the best password to use and should be enforced
from an access control perspective allowing very little room for error on an employee’s
part.
·
Control access to handheld devices such
as Laptop, Smartphone’s, and Tablets. Install
company managed encryption and anti-virus software onto all of these types of
devices.
·
Onboard and terminations policies are
often neglected and opens the door for disgruntle employees to walk away from a
company with trade secrets and confidential information. Restrict access to
information through strict access control policies. Remote wipe handheld devices, and recover
laptops from terminated employees immediately.
·
Strict usage policies can prohibit
employees from sending sensitive information via insecure e-mail. E-mail content scanning technology can also
help.
This was just a shortlist of the many concerns
companies need to be educated on.
Bringing consultants specialize in the area of Internal company security
may be a good idea for SBMs not equipped with an IT security team.
I will be providing comprehensive articles and
whitepapers on the security of Structured and Unstructured Data soon.
What types of security issues are you concerned
about in your business?
Recommended Reading: