27 Apr Cyber-attacks and data breaches: the role of your employees
“Computers don’t steal information, people do!”
Cyber-attacks and data breaches are on the rise, and it’s easy to believe they’re all caused by criminal hackers out for financial gain. However, this isn’t the case. Last quarter, it was found that four of the five leading causes of data breaches are because of human or process error.
The failure of staff to follow workplace security regulations, as well as criminal hackers finding more ways to exploit members of staff, is becoming an increasing problem.
Staff can cause data breaches in a number of ways, but there are a few that have become particularly common.
Employees can misuse their organisation’s data deliberately or accidently, but both have a negative effect.
A CIO Insight survey found that 20% of organisations have experienced a data breach caused by a former employee. Much of this is because companies fail to follow basic security measures when it comes to employee provisioning and de-provisioning.
Malware, short formalicious software, is an umbrella term used to refer to a variety of forms of harmful or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs.
1 in 131 emails contain malware. Email is still the number-one way hackers deliver malware. Email scams cost businesses $3 billion over the past 3 years and target more than 400 businesses every day.
The most common, easy, and low cost method used to steal access and other sensitive information from employees and other system users is phishing.
Phishing scams target and attempt to trick staff into handing over company data, typically through emails that appear to come from a trustworthy source. The emails try to get targets to reveal sensitive information, such as usernames, passwords or financial details, and might also try to install malware through a malicious link or attachment.
In May 2017, every 1 in 2,998 emails was a phishing email.
Phishing emails are not always easy to detect, which is why they have become such an effective way for criminal hackers to gain access to company data.
A study by OneLogin reveals that 85% of IT decision makers feel they have adequate password protection measures in place. But in reality, most IT decision makers are failing to enforce even the most basic password requirements, putting their businesses at significant risk of data breach. In fact, less than a third (31%) require employees to rotate passwords monthly, and a further half (52%) admitted to only requesting password rotation once every three months.
This becomes more of a problem when the same password is used for multiple accounts, making it easy for a criminal hacker to gain access to company data.
Do you want to know how to set a strong password? Stay tuned for our next article.
What can be done?
Humans are the weakest link in the cyber security chain. Employees can compromise your company’s security by clicking on links in phishing emails, using weak passwords, and carelessly handling data. While employee training is an important part of preventing social engineering, it’s not enough. It’s unrealistic for anyone to consistently distinguish malicious emails from legitimate ones. No single technological solution exists to protect your organization.
Rather, balancing the proper protective technology with user training is a better defence from cyber-attacks:
- Recognize the network security strengths as well as its limitations
- Design principle security policies, that all staff signs up to in connection with IT
- Automate security enforcement as much as possible
- Improve identity and access management processes to reduce employee errors and ultimately security breach incidents
- Introduce a mandatory and frequent training to remind employees about cyber security risks and consequences of violating security policies to the organization and themselves, including employment
- Practice a culture of security from the start, vivaciously involve employees on the risks of cybercrime and involve them in data breach solutions
Employees should also understand the risks of taking devices containing confidential data out of the secure workspace which can be stolen from cars and homes, disposing of devices and data improperly, sending confidential files and messages through unsecured channels or to the wrong recipients.
And be ready.
- Run Background checks
- Watch employee behaviour
- Use the principle of least privilege (the fewer privileged employees you have, the easier it is to protect your data)
- Educate your employees
- Control user access and monitor user actions
Lastly, expect the best, prepare for the worst because not even supreme IT security solutions can totally cushion against cybercrime. So, if you create a culture of security in your organization; you rest on a bunch of safety measures, such as email encryption, web filter and advanced threat protection; and you have a strong IT security concept, you will definitely shrink the risk of a cyber-attack!
And if you train your employees in any other different way against cybercrime, please do share with us!