[BreachExchange] Can Kids Harm Your Company’s Cybersecurity?

Audrey McNeil audrey at riskbasedsecurity.com
Wed Mar 1 20:19:51 EST 2017


http://www.digitalistmag.com/digital-economy/2017/03/01/kids-harm-companys-
cybersecurity-04928228

Corporate information technology departments are busy enough without having
to worry about hard-core gamers. So when a story is published about how a
gamer’s World of Warcraft account has been hacked, most IT professionals
would probably ignore the details and return to their own internal
cyberdefense issues.

But those professionals can easily miss the risks that a gaming attack
might pose to their own systems if the gamer had been using a computer that
has also been used to access a company’s network.

Employees are increasingly using their own personal devices to access
company networks. By one estimate, more than 80% of all companies allow
employees to use their personal computers and mobile devices to connect to
a company network, and almost 60% of all employees take advantage of that
policy. Further, more than 4.5 million of those devices are lost or stolen
annually, and cyber thieves are particularly aware of the valuable trove of
information that can be tapped in those misplaced or purloined devices.

Most companies provide training as to how and when employees should use
personal devices on a company network, but that training rarely, if ever,
extends to family members who might share usage of those devices. As a
result, an employee’s child might be the biggest security risk that a
company faces.

That risk comes in many forms. A child or other family member might use a
personal device to click on a link, for example, that directs them to
download the latest versions of Facebook or Twitter. Those links can direct
them to a phony app store and an app download that searches the personal
device for network access information.

Cybersecurity experts believe that online video gaming is a particularly
ripe conduit for cyberattacks. Weak security in online gaming platforms can
allow hackers to steal a gamer’s online credentials or to install key
loggers into a device that capture all information that a user might enter
for every account accessed on the device. A hacker who steals legitimate
corporate sign-in credentials can enter a corporate network undetected and
cause all manner of problems for an IT security team.

The most drastic response to this situation is to preclude employees from
using personal devices to access a corporate network. Because this is
impractical, most employers will shun this advice and leave their networks
exposed to inadvertent threats that originate with an employee’s family
member. Internal cyber defense can repel some, but not all, of those
threats. For those threats that do cause damage, cyber protection in the
form of cybersecurity insurance can be the lifesaver that a company needs.

A successful cybersecurity attack can lead to far greater losses than a
company might anticipate. Cybersecurity insurance can provide compensation
for many of those losses, including:

Expenses incurred in managing a cybersecurity incident
Media liability coverage for website repairs and intellectual property
losses or infringement
Ransomware or extortion liability coverage
Third-party damages associated with compensating customers or clients whose
personal information is lost or stolen as a result of a data breach

For the most part, children and family members will not deliberately cause
a corporate cybersecurity problem, but they generally will not use personal
computers and mobile devices with the same care and caution that are
instilled in employees who use the same personal devices to access a
corporate network. When a company’s precautions are not enough,
cybersecurity insurance will provide the necessary backstop to help a
company recover from a successful cyberattack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170301/88633c73/attachment.html>


More information about the BreachExchange mailing list