Lukas van der Merwe, Gijima

It’s no surprise that some of the biggest security threats faced by modern businesses originate from inside the organisation. Accidental security misconfigurations can allow malicious actors to gain unauthorised access to your networks, systems and data, which can lead to financial losses, reputational damage and legal or regulatory penalties. These errors can also leave your systems and data vulnerable to abuse or accidental misuse. “It’s a bit like not changing the default code on your new luggage lock; the risk is that this default code is easily guessable or well known,” says John Murdoch, CISO, Discovery Bank.

According to VERIS (Vocabulary for Event Recording and Incident Sharing) – a set of metrics that provide a common language for describing security incidents in a structured, repeatable manner – just over a third of all observed cyber incidents to date were caused by security misconfigurations. One high-profile example happened in 2018 when a Facebook bug exposed photos from around 6.8 million users who were using third-party apps. The breach included photos that users had uploaded, but had never actually shared to the site.