Top

Vulnerable or Not? How Your Employees Respond to Cyber Threats

October 12, 2018

Category:

With the risk of a cyberattack now being classified as the top threat to organizations, companies all around the globe are still hesitant to spend money to improve their security systems or train their employees. Security threats can put an organization and its customers’ sensitive information at risk, costing it in terms of customer loss, diminished trust in the brand or even regulatory fines. Although recent research shows an improvement in the field, even organizations with strong security practices are still vulnerable to human error.

Human error continues to be a key cause of cyberattacks

Measures like firewalls, email filtering, security patches or up-to-date software are well-known to businesses of all sizes. However, even if you have the right security software and monitoring in place, you may still be overlooking the biggest threat: your employees. Last year, Lastline surveyed 134 Black Hat USA 2017 attendees and found that almost 55 percent of respondents’ organizations had suffered a cyberattack, while 84 percent of those attributed the breaches at least in part to human error. One of the most common mistakes made by employees is sending documents to unintended recipients. Human error doesn’t just lead to identity theft and access giveaway in phishing attacks. Other errors that employees and management make include hiring criminals due to improper background checks, allowing inactive and orphan accounts with no ownership to exist, creating an excessive number of highly privileged accounts, and sharing passwords.

Critical safeguards for your organization

According to leading industry and government reports, over 90% of all cyberattacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers. Implementing a strong employee security training program is consistently noted as a key way for organizations to prevent any breaches in their systems. Here are some critical safeguards for your organization.

Simulated phishing programs

Phishing attacks are the leading cause of external data breaches. Organizations of all sizes need to ensure that staff members can recognize malicious emails or links, not click on them, and know whom to notify about the incident. Programs that simulate phishing attacks on employees and vendors can be effective at training users on how to identify and avoid these types of attacks. The existing baseline susceptibility of employees can easily be established. Furthermore, you can identify those users that need additional training.

Manage access rights and privileges

Organizations can substantially reduce their likelihood of human error causing a data security incident by adhering to the least-privilege principle. This means that users should be given only the minimum access to sensitive data necessary to perform a job and that access should only be granted for the minimum time necessary.

Training employees on the organization’s security policies

Training and awareness programs for employees and vendors who handle sensitive information could prove very useful in avoiding incidents such as disposing of devices without first wiping the data. Training your employees on security policies and procedures should be part of the onboarding process and should be included in the periodic training.

Encryption of devices and portable storage

As more and more users store sensitive information on their laptops, mobile devices, and portable storage devices, the frequency of lost or stolen data will continue to rise. Organizations should seek to implement the full encryption of all devices that may contain sensitive organizational data.  

Web filtering and responsible sharing on social media

Inarguably, the internet is a valuable resource for many positions in your organization, but browsing online can also mean treading dangerous waters. With web filtering, employees can be blocked from accessing websites that are known as malicious. Usage of social media in the workplace is a bit of a nightmare for most security professionals, as employees post their birthday, vacation plans, or phone number publicly. It’s the kind of personal data often used in a phishing attack.  

A cybersecurity talent gap

Cybersecurity Ventures predicts there will be 3.5 million cybersecurity job openings by 2021. The cybersecurity job forecasts have been unable to keep pace with the dramatic rise in cybercrime, which is predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. A new report by Capgemini’s Digital Transformation Institute has highlighted an urgent and growing cybersecurity talent gap. The study surveyed over 1,200 senior executives and front-line employees from around the world while analyzing social media sentiment of more than 8,000 cybersecurity employees. According to researchers, “by adopting acquisition, training, and retention strategies that will appeal to cybersecurity talent, organizations can take an important step in upgrading their cyber protection for the current and emerging risks of our connected world.”

The growing complexity of security challenges means that measures, like keeping your antivirus up-to-date and hiding the network behind a firewall, are now futile. Remember that no cybersecurity solution can keep you perfectly safe, but the right one can drastically cut the risks, and minimize the damage of a worst-case scenario. Cybersecurity is everyone’s responsibility, so it’s a good idea to start with your most valuable resource: your employees.