Internal Cybersecurity | 5 Lessons Companies Can Learn from ATT Breach
Companies should do all they can to make internal cybersecurity incidents easier to detect and handle | HubSpot
During 2013 and 2014, AT&T suffered data breaches at its call centers in Mexico, Colombia, and the Philippines, impacting approximately 280,000 customers. After a nearly six-month investigation by the Federal Communications Commission (FCC), the cause of the data breach at the Mexico call center was found to be internal misconduct. Three call center employees inappropriately used login credentials to access and sell customer data. The stolen information included names, Social Security numbers, and account data. The breaches, of which the FCC began its investigation in May 2014, recently resurfaced in the news after the FCC fined AT&T $25 million. As the press release read, “This is the FCC’s largest privacy and data security enforcement action to date.”
Internal misconduct is particularly difficult to detect and prevent, but it presents a significant cybersecurity threat and, therefore, must be taken seriously. This kind of misconduct was responsible for 18% of all cybersecurity incidents in 2013, according to Verizon’s 2014 Data Breach Investigations Report. While it is impossible to completely eliminate the risk of internal misconduct, companies can learn from the attacks on AT&T and others to bolster their defense against internal threats. Some key lessons include:
1. Grant employees access to the minimum level of information necessary to do their jobs.
An organized file system with access control is essential to preventing internal threats. Companies should keep a detailed inventory of where information is stored and who has access to that information. Additionally, companies should implement a Network Access Control (NAC) system, which keeps track of all the machines connected to a network. With an NAC, IT can identify unauthorized machines connected to the network and isolate them if necessary.
2. Implement network logging wherever possible.
A comprehensive network logging system allows companies to keep a close eye on suspicious internal activity. One essential logging appliance is a Security Information and Event Manager (SIEM). SIEMs assemble a company’s logs from various sources, including firewalls, intrusion detection/prevention systems, switches, and routers, and aid in log analysis. With comprehensive and well-organized logs, companies can look out for suspicious activity—such as large file transfers outside the company network from computers that should not be making such transfers—and act accordingly.
3. Enable remote wiping on employee mobile devices.
If an employee takes action that harms a company, the company can fire that employee. However, if the employee retains control of a mobile device containing sensitive information, the company is still at risk. All quality mobile device management (MDM) software supports remote wiping, which enables IT to erase all data on a device even if they are not in physical control of it.
4. Incorporate cybersecurity expectations into company policy.
Ensure that employees understand and take seriously their cybersecurity responsibilities, and establish cybersecurity as an important component of company success. Create a policy for employees to read and sign that outlines their cybersecurity responsibilities and the consequences of not fulfilling those responsibilities.
5. Hire a third-party cybersecurity company to conduct internal penetration testing.
An internal penetration test assesses how difficult it will be for attackers to access a company’s most sensitive internal data. The security firm conducting the test should provide the client company with a detailed list of recommendations, which can be used to improve internal security.
Internal misconduct is a risk faced by every company. However, companies can reduce their risk by taking proactive steps to detect and react to internal cybersecurity incidents more quickly.
