“Some workstations in companies have administrative rights, and that’s where an admin’s password could be hacked,” Litan added. Or, a hacker might find out a service contractor worked for the manufacturer on a point-of-sale system (PoS) and could be hacked for that contractor’s passwords to gain entry to the PoS.
“There are so many hacks now,” Litan said. “Compared to 10 years ago, systems are more connected than ever.” A decade earlier, in the 1990s, the use of the internet by the private sector was only just beginning and has since grown exponentially.
Reports of hacks and those not reported
A factor complicating the private sector's cybersecurity dilemma is that companies don’t want to talk publicly about having been hacked, in fear of losing customers or investors. Analysts believe there are many more hacks against enterprises than are being publicly reported.
Companies that are doing better with the newer cybersecurity systems -- especially financial services and telecommunications -- don’t want to brag about their achievements out of concern they will only invite attacks.
Some attacks are widely discussed with a lot of Monday morning quarterbacking. They include the Sony Pictures hack in 2014 and the data breach of retailer Target in late 2013, where PoS malware stole credit and debit card information on more than 70 million customers.
Many hacks of private sector companies are not detailed in public, as indicated by the admissions of employees in anonymous surveys. A new survey of 3,027 IT workers and end users at U.S. and European organizations found 76% had been hit by the loss or theft of important data over the past two years, a sharp increase from 67% in a similar survey done in 2014.
The survey was conducted by the Ponemon Institute, an independent research and education group focused on information and privacy management. Of the 1,371 end users in the survey, 62% said they had access to company data that they probably shouldn’t see. IT workers in the survey said negligence by insiders was more than twice as likely to cause the compromise of insider accounts as compared to other factors like external attacks, or actions by disgruntled workers or contractors.
The institute concluded that data loss and theft was due largely to compromises in insider accounts exacerbated by far wider employee and third-party access to information than is necessary. The institute also said companies continue to fail to monitor and access activity around email and file systems where most of the sensitive data lives.
The level of security varies by industry segment. Healthcare institutions, specifically hospitals, almost always get a bad mark. IDC said in a recent report that hospitals, universities and public utilities rank worst in their security capabilities and practices.
Sign up for CIO Asia eNewsletters.