Human liability in security

You can buy all of the best firewalls and tools but are you making the same level of investment on educating your workforce.

2 educate employees
Thinkstock

Cyber attacks are in the news daily. Often the headlines sound alarms about hacktivists or hackers from across the globe, but shocking headlines overlook a key statistic. According to a 2016 report published by IBM (registration required), up to 60% of all cyber attacks result, often unwittingly, from the actions of people inside or closely connected to the company.

Some estimates put the global cost of cybercrime at 2.1 trillion by 2019, with 20% of cyber attacks directed at small and medium-sized businesses. Despite higher investments in security, big business provides larger targets and continues to be a favored mark.

This growth trend in cyber attacks has fueled outside industries including cybersecurity companies and insurers selling cyber-insurance, the latter of which expects business to triple in the next three years.

Mom and Pop shops aren't ready for this cyber wave, and big business isn't as prepared as once hoped.

Insiders open the cyber-doors

The role of insiders has taken many forms. Awareness is a key to reduced risk, but most employees are not well-educated on the scope of the threat. Even corporate leaders need a better understanding of the risk. EY's 2015 Global Information Security Survey found that 44% of executives said that employees posed the greatest cyber threat, much lower than the 60% said to be involved by the IBM report. 

Reportedly, two-thirds of data breaches attributed to employees have been unintentional. Clicking the wrong email attachment, falling for a ruse by email or by phone, or use of insecure passwords all can open the gates to the cyber kingdom. It's a numbers game. Cyber criminals know that if they try enough doors, one will be found open, and they've learned which doors to check first. The remaining third or data breaches have been financially motivated, including those involving cyber-espionage.

Verizon's 2017 Data Breach Investigations Report is at odds with some of the figures reported by IBM, EY, and others, with 25% of breaches attributed to people inside the compromised company. The difference may be due to the methodology used for collecting and reporting data.

Top targets for cyber attacks in the Verizon report were financial organizations at 24% or data breaches. Healthcare organizations, public sector entities, and retail and accommodation organizations all followed, ranging from 12% to 15% of all reported breaches.

The Verizon report indicated that 61% of the data breach victims were companies with under 1,000 employees and that in testing 1 out of 14 people opened a suspicious email attachment or clicked a link that led to trouble. A quarter of those tested did it more than once. In a company of 1,000 employees, 70 staffers are likely to open pandora's box unwittingly.

Some companies run their own internal testing, sending suspicious emails to employees and then measuring click rates. Employees are encouraged to report phishing if an email subject or sender looks peculiar. Upon opening a suspicious email, the employee is greeted with a message explaining that the message was a test that should have been reported. While this practice does increase awareness of a threat, these same employees may not be aware of the full corporate risk.

Many employees think of suspicious email links and phishing attempts as being an inconvenience, but one that can be fixed by the IT department, not one that can take down servers, shut down parts of the company, compromise sensitive data, or potentially cost millions. All of these things are possible, and all have happened with the click of a mouse in an office or cubicle.

What can be done to Increase Cybersecurity?

Clearly, employees are on the front line. Regardless of safeguards put in place, a large role of IT departments, security departments, and security contractors is often to clean up the mess left behind after a cyber attack or breach. Employees with higher clearances within a company also pose a large risk because of their access to more sensitive data, some of which may even be available on their laptops or company-issued devices.

Email and the use of insecure or default passwords are the most common doorways used to gain cyber entry. The Verizon report cites over 80% of hacking-related breaches taking advantage of stolen passwords or weak passwords. The report also indicates that nearly 70% of malware that affects businesses is installed by clicking on malicious email attachments. 

Using the same cybersecurity techniques used in the past may not work against the future cyber attacks and attempted data breaches. Ultimately, it comes down to increased awareness and firewalling devices and software so that these devices cannot be used to reach the most sensitive data. Most employees and even executives are aware that cyber attacks are real and can happen. However, the lingering impression is that cyber attacks and data breaches happen on the nightly news and in the news headlines and that they happen to other companies.

Most employees and even executives are aware that cyber attacks are real and can happen. However, the lingering impression is that cyber attacks and data breaches happen on the nightly news and in the news headlines and that they happen to other companies.

Employees can be trusted with the numbers that represent the company's potential financial exposure and the truth that every company has a real risk of cyber attack, including theirs. Understanding the gravity of the problem can help to get the team on board with security measures, instead of viewing them as an inconvenience. Any witting perpetrators within the company are already aware of the risk and may already be plotting their reward. A more pointed education for the broader base of employees should be implemented and reinforced regularly.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Fall 2018 digital issue of CIO