Businesses have suffered huge losses due to cybersecurity incidents, however a large number of these incidents could have been avoided had it not been for the ‘human factor’ of employees, these are typically known as ‘insider security threats’.
The UK Information Commissioner’s Office (ICO) tells us the vast majority (90 percent) of UK cyber data breaches are caused by human error. Staff, whether intentionally, through carelessness or lack of knowledge, are putting the businesses they work for at risk of cyber breaches.
Breaches don’t have to be caused by someone acting maliciously, many incidents are the result of a genuine mistake made by an employee who wants to do their job to the best of their ability, or even a contractor, who may pose a bigger risk due to lack of policy knowledge and training.
- Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information. Staff clicking on a malicious link or downloading an infected attachment from a seemingly genuine email.
- Malware can penetrate your network when staff are navigating hacked websites, downloading infected files or opening emails from a device that lacks anti-malware security.
- Using public wifi spots, with employees thinking that public wifi is safe when they are in a trusted location, public wifi is never safe.
- Employees using their own ‘unprotected’ devices for work purposes.
- The physical loss or theft of a device, be it personal or one provided by an employer.
- Smart phones, tablets and laptops not being locked or password protected.
- Poor password hygiene, employees using the same password across multiple devices, apps and websites, and not using multi-factor authentication or extra security measures.
- Saving and sharing work files between work and personal devices, using unauthorised storage devices to transfer files etc raise the risk of networks being hacked.
- Letting family and friends use work devices for personal browsing.
- Unauthorised access to data can occur when an employee has access to data they don’t need to, or if they stumble across data accidentally, both can happen if the organisation doesn’t set up appropriate access controls.
- Providing sensitive information to the wrong person. This could involve sending an email to the wrong person, attaching the wrong document to an email or even handing a physical file to someone who shouldn’t have access to the information.
- Misconfiguration of devices and software where staff do not install the latest security updates and patches, leaving their devices and accounts at risk of breaches.
- Social engineering is perhaps one of the most sophisticated scams that employees face. Criminals use psychological manipulation to trick users into making security mistakes or giving away sensitive information. They contact staff members under false pretenses, by a mix of phone, email and even professional networking sites, working to gain their trust, manipulating them to carry out unauthorised activity. What’s more, using business email compromise (where criminals spoof a genuine email address), emails purporting to be from partners, banks or even senior members of staff (such as CEO fraud), usually taking form of an ‘urgent’ request, encourage more junior staff into wiring money to the wrong recipient or disclosing confidential business information.
Whilst the majority of ‘insider security threats’ are down to human error, businesses must also consider the risks posed by ‘rogue employees’. Rogue employees also don’t have to be malicious. Consider a team member ignoring security policies because they feel under pressure to get the job done, or a staff member moving onto pastures new and wanting to take files of their work with them, not realising they are in fact company assets. Malicious risks come in the form of disgruntled individuals who have a grudge to bear so intentionally ignore security policies, or perhaps a member of staff leaving under a cloud, copying and taking sensitive data with them to share with a competitor.
Your business needs to be resilient to all insider security threats. From ongoing staff training, implementing system controls and monitoring, to enforcing strong access control policies, you can’t afford to ignore the human factors of cyber security risks.
Some of the solutions we recommend to counter insider threats are:
- An expert managed cyber security team to monitor and protect
To find out how exposed you really are, and for advice on how to mitigate cyber risks, get in touch with the Infosec Partners team today.