Your Company’s Security Begins With Your Supply Chain and Ends With Your Workforce

To pinpoint the location of your insider threat, look for the weakest link between third party risk and corporate culture.

The telecom, healthcare and finance sectors are experiencing this situation first-hand, with criminals actively reaching in to recruit employees who possess desirable access privileges. As last week’s Reddit breach demonstrated, even companies with security safeguards previously considered to be adequate are being successfully breached using methods that exploit the human element, in arbitrary locations within the supply chain.

With the prevalence of multifactor authentication and strong technical safeguards, recruiting insiders and socially engineering employees is now the norm. Companies need to directly address the issue of controlling insider activity and educate themselves to understand the fact that a vast diversity of distinct threats actually share common and readily understood motivations.

According to this Motherboard article, “hundreds of people across the US have had their cellphone number hijacked in this so-called ‘Port Out Scam.’ Victims have had their emails and social media accounts hacked, and sometimes lost hundreds of thousands of dollars.” There are organized crime gangs making millions of dollars doing this and it often starts with a simple question:

do you wanna make some money?

Think about the policies and procedures in place in your organization and consider the following:

  1. are those safeguards sufficient to prevent a data breach if the employee were influenced to click a malicious link or share a password?
  2. is sufficient logging and monitoring in place to ensure that corrupt individuals can be investigated and identified?
  3. are sufficient examples communicated to ensure that employees understand the adverse scenarios that can unfold and how they need to report suspicious activity?

I occasionally consult with companies that offer various explanations for inadequately addressing insider threats. My favorite remains this one: “we don’t talk to them about it because it may give them <bad> ideas. They have too much access as it is.”

Threats evolve. Don’t expose your company to unnecessary risk because of inadequate security leadership or a perceived difficulty to strike the right tone in your communications. Good security training is not hard, but it’s also not optional.


*this content is available as a management presentation or keynote address.

**this article was also featured on LinkedIN.

Personal musings on data protection fails, snafus and oddities, collected, composed and edited by Claudiu Popa; author, educator, bibliophile.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store