Sage is the latest high profile name to suffer a data breach, but it wasn’t hackers who were responsible.
Who says accounting is boring? The security breach at Sage has proved a significant source of drama – with an airport arrest to add to the excitement.
It is, of course, just the latest high-profile security breach. With a reported 280 firms – and potentially all their employees – affected it’s a significant case, but far from the biggest. As ever with these incidents, though, there are important lessons to be learned.
For a start, it’s clear that the markets take these breaches seriously, with shares in the company falling by 4%. This is a consistent theme with security breaches now: investors don’t like them, and they have an immediate impact attached.
Second, it’s a reminder of the importance of considering the insider threat; the woman arrested at Heathrow was a Sage employee, and the firm has said the breach was the result of an “unauthorised access using an internal login”.
Tackling the insider cyber threat
That threat from employees is considerable, and not easily fixed. As the FBI’s former head of Computer Intrusion Unit once noted “there is no patch for careless, greedy or stupid”. A report earlier this year by EY cited malicious employees as the fastest growing cyber threat, while another suggests that one in five office workers would be prepared to sell their corporate password.
While some of these risks will always be with us, there’s probably more businesses can do. As a 2013 study by the Centre for the Protection of National Infrastructure found: “There is a clear link between an insider act taking place and exploitable weaknesses in an employer’s protective security and management processes.”
Put simply, you can minimise the risks by ensuring appropriate controls are in place. At the very least, the Sage incident should prompt businesses to review who in the organisation has access to what, and if they really need it to do their job: Sticking with the “‘Least Privilege” principle is a good start.
Supplier cyber risks
The other lesson from the Sage case, though, is that vulnerabilities usually extend well outside the walls of your buildings. Even if your firewalls, security and internal controls are top notch, you still face vulnerabilities from your service suppliers.
Again, there’s no quick fix here. Firms have to do due diligence on their suppliers, of course, but in truth, there are no guarantees. Even when you stick with reputable names, such as Sage – or Oracle (the MICROS point-of-sale credit card payment systems used by 330,000 cash registers worldwide also suffered a recent breach) you are at risk.
As a business you can only do your best; equally, though, you need to prepare for the worst.