Employees are the weak link in your cyber security
So, you think that the biggest threat to your cyber security is still external? Think again. The biggest threat to your cybersecurity today isn’t sketchy people in different coloured hats – it’s your employees.
Hackers may be becoming more advanced, however, the percentage of cyber risks due to internal human error is substantially higher than the level of external threat, Anna Aquilina, director of EY’s EMEIA Cybersecurity Centre of Excellence explains that “people are just a very large attack surface. Whether it’s a nation-state, a hacker or an organised criminal network, they will look for ways ‘in’ through people. As businesses shift more and more into the digital space, it is no surprise that cyber security has become globally the fastest-growing industry in 2018. The question therefore is – why have employees become the weakest link in cyber defence and how can businesses holistically calibrate cyber security in their core competencies?
What’s going wrong?
Due to the vast range and complexity of potential scams, employees can be targeted or exposed to risk in numerous ways. Most commonly, unsuspecting staff are compromised by schemes such as email phishing, spoof websites and downloads with embedded malware. In 2014, as many as 100 eBay employees were targeted by a phishing campaign that infiltrated eBay’s internal network. The attackers had unprecedented access to eBay’s systems for a staggering 229 days – along with the personal details of over 145million customers!
Emails from ‘reputable’ companies such as PayPal or Apple iTunes, may not be what they appear. All it takes is for one employee to click an embedded link and a virus can download and infiltrate the business’s entire computer system in minutes. It is also not unheard of for scammers to pose as other employees, banks or even friends in a bid to gain access.
Examples of successful scams include HMRC emails suggesting the receiver is due a rebate – all they must do to claim it is enter a few personal details. Similar scams involved sending spoof invoices from PayPal, prompting the user to enter their details to validate or decline a transaction.
Workers who access the system remotely, if not adequately protected, can also find that their data could be accessed via unsecured public Wi-Fi networks in hotels and meeting venues. Lack of suitable malware protection, outdated operating systems and inadequate firewalls can all leave your staff unwittingly open to data exposure.
Removable hardware and storage devices such as USB sticks, external hard-drives and memory cards (often holding unencrypted or sensitive data) can be lost, misplaced in public places or even stolen. The same goes for entire laptops, tablets and mobile devices used for work. 18% of data security incidents in 2015 were as a result of lost or stolen devices. Similarly, cloud based, and third-party storage systems may not always be as secure as an employer may hope or expect.
Finally, many people still write passwords down or store them in a central location – making them one simple hack away from total infiltration.
Simple steps to protect your employees… and your business!
Predominantly, a culture of cyber-security awareness needs to be holistically curated across corporations. Competency in cyber-security needs to be assessed at the recruitment process stage and current employees should be continually retrained.
Other preventative measures could include:
The ultimate answer to cyber-security woes is… education
Informed and equipped employees are the best defence against the majority of cyber-attacks. Cyber security eLearning outlets and training programmes allow employees to study, improve and qualify, whilst working. This directly impacts the cyber-health of your company and industry, but also promotes growth and development in satisfied and nurtured employees.
Whilst there is a plethora of precautions that can be taken to better protect your employees and your business, complete mitigation is ultimately impossible. However, as far as possible, steps towards creating a culture of heightened awareness and quality training schemes, should be undertaken to minimise potential financial losses.