Dive Brief:
- In a survey of 500 U.S. IT respondents, 20% say a lack in security retraction of former employees was responsible for data breaches, according to OneLogin. Forty-four percent of participants acknowledged they are unaware of whether former employees' accounts have been deactivated.
- Only 41% of the surveyed companies use a security information and event management system (SIEM), which oversees employee activity within accounts. Without implemented oversight, companies will not be automatically alerted of security intrusions.
- Major cyberattacks such as WannaCry and the Petya strands have global fiscal impacts of about $450 billion. The U.S. alone faces $121 billion in repair of major cyberattacks.
Dive Insight:
In the wake of all the cybersecurity losses of the last few months, companies have felt the pressure to reexamine their security infrastructure. Removing outdated systems susceptible to malware like Microsoft’s outdated SMB1 is only part of protocol.
Some security threats could be coming from within the company as 90% of security breaches are result of human error. Even more nefariously, unmonitored systems leave the opportunity for current or former employees to access private data on virtual private networks (VPNs).
However, apparent ignorance should not be the reason of a security breach. Data breaches can result in bad press and legal ramifications, such as Anthem’s record $155 million payout to breached victims. Trump Hotels was hit by a third data breach in two years after personal records and credit card information had been released. World Wrestling Entertainment (WWE) may also face legal ramifications for having two public servers open for an unknown period of time.
The OneLogin report also found 48% of respondents were aware of former employees’ sustained abilities to access corporate networks. Considering that other research shows only a very small fraction of businesses believe they're proactive in fighting cyber attacks, it's unclear how much action has been taken by HR departments, even those who are aware of former workers' access to their network.
If HR executives haven't already begun the process of stepping up their training efforts around identifying and reporting potential threats, it's well past time to start.
