Stolen staff data could be your biggest security weakness

Organisations are aware about the damage customer data being hacked can do - but a new report suggests they underestimate the risks associated with business data being compromised.
Written by Danny Palmer, Senior Writer

The threat of corporate email addresses and other employee data being stolen and exploited by cyber criminals is still not being taken seriously, despite the potential damage such a hacking incident could do.

Researchers at cybersecurity company Terbium analysed how companies approach security risks and found that many are underestimating the damage that could be done if employee data is stolen and leaked to the dark web or wider internet.

According its Underrated Risks of Data Exposurereport, just 11% of those surveyed believe corporate email addresses could be at high risk of exposure on the internet and even fewer believe social security numbers, names, bank accounts and payroll records of employees are the sorts of data that cyber criminals are interested in.

"People are generally concerned about their customer data being exposed. But when they look at employee data, no one cares, " Emily Wilson, VP of research at Terbium Labs, told ZDNet.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Companies are more worried about customer data being exposed by hackers – and while that does create loss of revenue and reputation, ignoring the potential cost of corporate data being stolen could make falling victim to an attack that exposes customer data much more likely.

"Corporate employee data is the skeleton key to whatever you want in the organisation," Wilson explained.

"If you have employee email addresses, then you engage in phishing and business email compromise. It's a broad entry point into a company's systems and having access to employee data gives you the run of the place," she said.

It isn't as if corporate data hasn't been stolen and leaked before – remote desktop logins can be purchased for just a few dollars, so this is an area that provides a great amount of risk to organisations. But for some reason it isn't high on the radar when it comes to analysing potential cyber risks.

"They're not stepping back and worrying about how attackers could get to customer data – they're yet to realise that corporate data exposure is the linchpin that leads to all of these security issues that businesses are worried about day to day," said Wilson.

SEE: Cybersecurity: 99% of email attacks rely on victims clicking links

"The fact you don't really hear about corporate data as the headline story doesn't mean it didn't play a role early on in the delivery mechanism for whatever security issues you're facing," Wilson continued.

"It's the data we use everyday: it's not sexy, it's just the data we rely on to run businesses and our everyday lives. It's fundamental but people just seem to miss the connection there and cyber criminals love that," she said.


Editorial standards