The cost of cybercrime is going nowhere but up. Meanwhile, the news reports on staggering incidents of mass data theft on a regular basis. If you’ve become obsessed with combatting intrusion from outside hackers and scammers, it’s understandable.

But if you’re only looking outward, you may be missing one of the leading and most damaging risks to your cybersecurity: those who work in and with your organization.

No one wants to believe their colleagues and partners would compromise their data security – either deliberately or mistakenly – but it happens more often than you would think.

It seems like eons have passed since email promised to make office communication easier, more pleasant, and more fun. Remember the feeling? No more navigating awkward voicemail menus, missing connections, or squinting at smudged faxes.

But now, as we confront our overflowing inboxes with dread every morning, many of us long to go back to the days when the desk phone was more than an inert prop and critical information was shared — shockingly — face to face.

We don’t have to tell you your organization’s IT system is deeply complex. To provide even the most basic services to your users, many layers of hardware and software combine.

Lurking within these layers are vulnerabilities – weaknesses that can be exploited to inflict costly damage on yourorganization. And as the layers of your IT system multiply, so do their vulnerabilities, whether they’re problems in the operating systems, application flaws, or improper configurations.

How do you find these weak points before the bad guys do? That’s exactly what penetration testing is for and why it is a critical part of a company’s security policy.

As we wrote in our last post, an enforceable IT security policy  is an important part of your organization’s security strategy. Unfortunately, many companies don’t have this policy. As many as one in three companies lacks an information security policy.

It’s not enough to develop this and then put it away. Depending on the size and type of your business this should be visited at least annually with the stakeholders in the systems and processes that are part of the security policy. If this is not done it is difficult to enforce and be sure it meets the needs of the business over time.

Nobody enjoys creating policy. It’s complicated, detail-oriented work and just asking for endless debates over minutiae. And the results of the arduous policy-making process are often overlooked or outright ignored. Sometimes it feels like people are going to do whatever they want to do, regardless of your well-crafted, comprehensive policy.

So why bother going to the effort of writing an IT security policy for your business? Surely, there are better ways to spend your time.

You’re on your way home from work, your trusty laptop on the passenger seat beside you so you can pick up where you left off at home. You stop in at a coffee shop to refuel for the evening, and when you get back to the car — your laptop’s gone. Someone broke in and made off with it.

Losing a laptop is never fun. At minimum, you or your company will have to pay to replace it. But your laptop login is password protected. So at least your valuable company data is safe.

Right?

Not exactly. It doesn’t take much for a hacker to crack a password-protected laptop. He could use a USB stick to boot up a new operating system, for example, and see all the files on your hard drive. Or he could simply unscrew the hard drive and place it in a different computer.

You don’t need to be a hardened sea dog to know the bigger the fish, the harder to catch — but the bigger the payoff. Cybercriminals understand this concept, too. And as their phishing  techniques become increasingly polished, they’re turning their harpoons on the leviathans of the business world: the C-suite.

When cybersecurity experts talk about whaling, they could mean one of two types of attack:

• A spear phishing attack directed against senior executives, with the goal of accessing customer data, bank account numbers, passwords, or any other valuable information. (As described in this recent Kaspersky article.)
• A spear phishing attack in which the attackers digitally impersonate a senior executive, in the hopes of tricking lower-level employees into making a wire transfer or revealing sensitive information. (As described by Mimecast here.)

A trustful nature is, under most circumstances, not a bad character trait to have. But to cybercriminals, a little too much trust — combined with a generous dose of curiosity and inattention — is just the crack they need to worm their way into your biotech firm’s data.

Recently, I wrote about phishing , one of the most widespread and effective techniques used by hackers today to steal data, infect networks, and disrupt business. In its most basic form, phishing casts a wide net in the hopes of reeling in a few gullible individuals among thousands.

But hackers have a much more precise — and potentially devastating — weapon in their arsenal: spear phishing.

Despite all the advances in cybersecurity in recent years — iron-clad antivirus, impenetrable encryption, spookily effective spam filters — hackers are still breaking into even the most secure organizations by taking advantage of their weakest position: the human element.

According to some estimates, up to 91 percent of data security attacks begin with a false email intended to dupe the receiver into giving up login credentials or installing malicious software. This technique, a favorite of hackers worldwide, is called phishing.

You’re on the road, taking meetings, trying to scrounge up the next round of funding to keep your biotech firm growing. But just because you’re traveling doesn’t mean you can kick back and relax by the hotel pool.

Back home in the lab, the experiments continue, the data is piling up. You’ve got email to send, staff to manage, and expenses to approve. At an early-stage biotech, the work must always go on.

Good thing most hotels offer free WiFi now. Just check in, log in, and get to work.