The cyber risks facing firms grow daily, with savvy and experienced hackers looking to target both the firm’s financial, corporate assets and, more concerning, their untrained and unaware employees. The threat posed to the business and its network of suppliers and partners by naïve employees, known as an insider threat, is perhaps the most dangerous of all. The threat is very real. Research reveals that between 90% and 95% of attacks have human error as the leading cause.
Insider threats are those that emanate from within an organisation and include past and current employees, third-party contractors and malicious parties with access to the internal network. Those operating with malicious intent are the least common, while current employees who are unaware of the threats pose the most common risk.
Even when firms excel in the technology side of cyber security, we often see their defences crumble when their employees are exploited. After all, technology is just one part of comprehensive cyber security.
Today’s hackers are creative and diligent. They are experts in manipulation and crafty in their delivery.
People can either be part of the problem or the solution
The easiest way for hackers to get into a firm is by exploiting the employees inside it. Common tactics are easily executed and include phishing and social engineering, with the most common hacking delivery mechanism being via email. Of course, this can be distributed on a large scale. These involve researching and finding out personal information about an employee which can then be used to gain access to the network.
These types of attacks are usually highly personalised to appear legitimate and loaded with malicious software. If an unsuspecting employee clicks on a malicious link, they may not even be aware anything has happened for quite some time. And some malicious software can sit hidden within the corporate system and record keystrokes, or hunt for sensitive corporate and financial information.
Equally, even if an employee is aware they have granted access to a potential attacker, they must admit to their mistake. Too often, the ‘fear factor’ stops them from confessing their error, meaning the malicious software has plenty of time to cause damage and steal data. This also perhaps helps to explain why the average time it takes organisations to detect an attack within their network remains incredibly high – over 200 days.
How can businesses mitigate the risks?
Despite what many businesses believe to be an IT issue, this is not about technology. Firms must regularly train all employees, contractors and third-party organisations who have access to data about the risks posed and common hacking techniques to watch out for. Given the consequences for the firm and its network, it’s vital to have comprehensive protections in place.
Working with a cyber expert who can educate employees will help negate the insider threat. With a better understanding of the risks, employees will know what the impacts of an attack are, what to look for, and what action to take in case of malicious activity. Quick wins, such as using complex passwords, regularly changing passwords, and dealing with suspicious emails, are basic procedures which quickly improve the cyber defences. Additionally, ongoing employee education and awareness then helps cultivate a workforce to fortify against theft, fraud and damage from within.
Awareness training can include activities such as getting staff to participate in NCSC certified course modules, including cyber security into personal development, linking employee progress to organisational risk, and improving the ability to identify weak links.
Peace of mind
As regulatory pressures mount and the risks become more complex, ensuring strong cyber protection from insider threats is paramount. People can either be part of the solution or part of the problem. If they are to be part of the solution, they will form a strong and robust ‘human firewall’ to mitigate the risk. If they are part of the problem, they will present easy access to criminals.
Insider threats are the hardest cyber threat to deal with. They create reputational, regulatory and financial risk for firms. To mitigate the risks, it all starts with education and training. This will turn employees into a cyber security asset, rather than a vulnerability
Mitigate Cyber have an array of products and services that can help you protect your organisation by ensuring your employees are equipped with all the correct knowledge. The most popular tool is our innovative online training portal, Mitilearn.
Find out more about our scenario based interactive awareness training for all your staff covering 4 key areas of concern.