National Study Finds Insiders Are Biggest Risk to Cyber Security
Small and Large Companies Seen As Equal Target
Leaders of small- and medium-sized businesses face greater risk from internal threat than from external hackers, and large and small companies are vulnerable to attacks, according to a study completed by a Duquesne University professor.
In the study, supported by a $360,000 grant from the U.S. Department of Justice, Dr. Ken Saban also found that the possibility of cyber threats receive a low priority from leaders because most see this as a technical issue, not a managerial one.
In addition, 85 percent of the executives believed they would be less likely to be cyber attacked than a larger corporation, although evidence shows that cyber attacks plague businesses of all sizes, said Saban, associate professor of marketing in the Palumbo-Donahue School of Business.
“Given that most Internet attacks go unreported, this number severely underestimates the true number of attacks and downplays the devastating results,” said Saban, who considers cyber security across the supply chain a national security issue. “You’re only as strong as your weakest link across the supply chain. You can’t think, ‘I’m not going to be a target; I’m too small.’ The data shows otherwise.
“If I wanted to access the intellectual property of a firm, I would begin by probing the supply chain to identify its weakest link, which may be a small to medium enterprise,” Saban said. “If somebody is making a part for a larger system, that supplier will need access select drawings of the whole assembly. That is what hackers are targeting. Can I steal your and/or your partners’ business secrets? That’s intellectual property theft.
“For someone in the banking and finance industry, the question is, ‘Can I steal your money?’ For the energy and telecom industry, it’s, ‘Can I shut down the power grid?’”
In looking at finance, health care, manufacturing, energy and telecom industries, Saban found that the finance and health care executives were most aware of computer threats and their company’s cyber security practices, and the most likely to receive regular updates on the company’s computer security. Regulated industries appeared more sensitive to computer security risks than their non-regulated counterparts.
While many executives focus on outside threats, most actually are inside breaches wrought by angry, disgruntled or thieving employees, Saban said.
Awareness, commitment to improving cyber security and achievement of strategic initiatives and objectives lead to improved cyber security, Saban found. “If I’m highly aware, am I highly committed? If I’m highly committed to providing the required resources and administering the security policies in place, then my network will naturally be more secure,” Saban said. “The question plaguing the nation is how best to raise the awareness and commitment of C-level executives of small and medium enterprises?”
To address this question, Duquesne University’s School of Business Administration is sponsoring a cyber security briefing for C-Level executives. During this Dec. 8, invitation-only briefing, Saban and his colleagues will present the findings of their study, and a panel of subject matter expects will address why executives should care about security practices.
“The threats keep changing, so what’s out there today is going to be different tomorrow,” Saban said. “Therefore management has to make the long-term commitment to keeping their operations secure. In short, cyber security needs to be a top management priority.”