Sage is the latest high profile name to suffer a data breach, but it wasnโt hackers who were responsible.
Who says accounting is boring? The security breach at Sage has proved a significant source of drama โ with an airport arrest to add to the excitement.
It is, of course, just the latest high-profile security breach. With a reported 280 firms โ and potentially all their employees โ affected itโs a significant case, but far from the biggest. As ever with these incidents, though, there are important lessons to be learned.
For a start, itโs clear that the markets take these breaches seriously, with shares in the company falling by 4%. This is a consistent theme with security breaches now: investors donโt like them, and they have an immediate impact attached.
Second, itโs a reminder of the importance of considering the insider threat; the woman arrested at Heathrow was a Sage employee, and the firm has said the breach was the result of an โunauthorised access using an internal loginโ.
Tackling the insider cyber threat
That threat from employees is considerable, and not easily fixed. As the FBIโs former head of Computer Intrusion Unit once noted โthere is no patch for careless, greedy or stupidโ. A report earlier this year by EY cited malicious employees as the fastest growing cyber threat, while another suggests that one in five office workers would be prepared to sell their corporate password.
While some of these risks will always be with us, thereโs probably more businesses can do. As a 2013 study by the Centre for the Protection of National Infrastructure found: โThere is a clear link between an insider act taking place and exploitable weaknesses in an employerโs protective security and management processes.โ
Put simply, you can minimise the risks by ensuring appropriate controls are in place. At the very least, the Sage incident should prompt businesses to review who in the organisation has access to what, and if they really need it to do their job: Sticking with the โโLeast Privilegeโ principle is a good start.
Supplier cyber risks
The other lesson from the Sage case, though, is that vulnerabilities usually extend well outside the walls of your buildings. Even if your firewalls, security and internal controls are top notch, you still face vulnerabilities from your service suppliers.
Again, thereโs no quick fix here. Firms have to do due diligence on their suppliers, of course, but in truth, there are no guarantees. Even when you stick with reputable names, such as Sage โ or Oracle (the MICROS point-of-sale credit card payment systems used by 330,000 cash registers worldwide also suffered a recent breach) you are at risk.
As a business you can only do your best; equally, though, you need to prepare for the worst.