Employees have long been viewed as the ‘weakest link’ in a business’s cyber security chain and, with human error still being the number one cause of data breaches, that unwanted title can still be applied to many businesses today.
But what makes employees such an insider threat to your business?
In this article, we’ll guide you through the different types of insider threats within your business and the key reasons why businesses suffer a user-related data breaches.
Oh, and we’ll also give you some advice on mitigating all of the above!
What are the different types of insider threats within your business?
According to Verizon’s Data Breach Investigation Report (DBIR), over 85% of data breaches involve the ‘human element’. A common misconception here is that all user-related data breaches are caused by simple negligence – e.g. clicking on a phishing email.
The fact is, although negligence plays a huge role in most user-related data breaches, a big portion of these breaches are caused by additional or completely separate factors.
According to Verizon’s report, these are the three main types of insider threats:
Negligent users make up 61%
These types of users can be defined as those who commit acts like copying the wrong person into an email, attaching the wrong file to an email or clicking on a malicious phishing link.
Negligent users, with credentials exposed on the dark web, make up 25%
These types of users are less common but are even more at risk than solely negligent users. That’s because these employees have credentials – such as usernames and passwords – that are exposed on the dark web. These exposed credentials are often used by attackers to launch hyper-targeted campaigns that appear to be much more legitimate than the traditional mass-mail phishing attacks.
Malicious users, make up 14%
Most employees never show malicious intent towards the business but, unfortunately, there are a few that do. These malicious motivations often involve a disgruntled current or ex-employee downloading sensitive company information – often to sell on to a competitor or to leverage in a new job/business venture.
Why are employees such an insider threat?
Humans make mistakes
From misdirecting an email to attaching the wrong file, every employee makes mistakes from time to time. In fact, 43% of employees say they’ve made a mistake at work that compromised cyber security. The issue is, these types of seemingly minor mistakes can result in sensitive data making it into the hands of a cyber criminal or onto the dark web, which can then be leveraged in a targeted attack.
Humans are lucrative targets
A surprising amount of information about your business can be found online, including your suppliers, contractors, and customers. This makes it easy for attackers to impersonate internal and external contacts, and all it takes is for one person to be successfully duped for your business to be at risk.
The most common technique that attackers use to target employees is phishing. These types of attacks have evolved in the past few years, relying less on tricking users through generic ‘send-to-all’ email scams and focusing more on ‘spear phishing attacks’, using prior research to target and dupe a target.
Humans break the rules
People in any business are capable of breaking the rules, be it maliciously or accidentally. But a large portion of rule-breaking ventures further than not abiding by password policies – some employees can go as far as to steal corporate data and sell this on the dark web.
Most cases, however, are less malicious and mainly revolve around staff looking to cut corners – like sharing their password with a colleague so that there isn’t the need to create a separate account for a service.
How to transform employees into a cyber security asset
To solve their human cybersecurity problem, many businesses look to launch annual or quarterly security awareness measures – like a once-per-year workshop for all staff.
The problem is, these sessions are often too infrequent and unengaging for employees to actually soak up the information and apply it to their everyday work life. Regular, short and engaging training is needed in order for employees to be well-versed on the latest threats, whilst not forgetting the best practices they’ve learned before.
Build a security-savvy workforce through Human Risk Management (HRM)
Human Risk Management (HRM) is the modern approach to building a security-savvy workforce without hindering employee productivity.
Through our fully managed HRM service, you’re able to understand and reduce human cyber risk over time through regular security awareness training, periodic phishing simulations, dark web monitoring and simplified policy processes.
To celebrate the launch of our HRM service, we’re giving you the opportunity to calculate your human cyber risk with a free Human Risk Report (HRR).
Through a few steps, we’ll calculate the human risk score of your business and provide you with a clear action plan for strengthening at-risk areas.