Kon Leong at Harvard Business Review wrote an excellent article about the problem of employees exposing your organization to cyberthreats through human error. Here is a short qoute:
Today, cybersecurity has expanded far beyond its traditional domain of external threats, typified by external hackers attacking network vulnerabilities. It now includes insider threats, which are much more complex and difficult to manage, as evidenced by some very serious recent insider breaches, such as those involving Edward Snowden and Chelsea Manning. The nature of insider threats can be categorized into malicious, accidental, or negligent, and account for a combined 39% of all data breaches according to recent research."
Now, which departments are causing the biggest cybersecurity problems at your office?
TechRepublic wrote: "People are always the weak link when it comes to enterprise cybersecurity—but some departments are more likely to get hit and fall victim to attacks than others.
"Everyone is susceptible to these attacks. Nobody is immune," said Wesley Simpson, COO of (ISC)2. "It doesn't matter what type of organization, how strong you think you are, how much money that you're investing into your hardware and software environment to have the latest and greatest technology. We're all vulnerable, and you can't do it alone."
Here are three departments that are often most likely to fall victim to cyberattacks:
- IT and development. They are not immune to mistakes or attacks that result in security breaches, as 2017 has proved, said Forrester analyst Jeff Pollard. For example, we saw that Amazon S3 storage buckets were a constant source of data exfiltration, often by security researchers and bug bounty hunters, but also by attackers.
- Finance. A large number of attacks in 2016 and 2017 targeted procurement and finance teams, Pollard said. These attacks attempted to get employees of the company to transfer large sums of money to the attackers, bypassing normal accounts payable procedures and controls. There's no reason to believe those attacks will drop in 2018, he added.
- The C-Suite. C-level executives—including the CEO—are the most at risk of being hacked when working outside the office, according to a recent report from iPass. These employees often work long hours, are rarely confined to the office, and have unrestricted access to the most sensitive company data, making them highly valuable and highly available targets, the report found.
The Harvard Business Review article suggests four areas where you can significantly mitigate this risk:
- Rethink employee training
- Identify high-risk users and intervene
- Shape the solution to the human user and not vice versa
- Constantly adapt to changing threats
They make a few excellent suggestions on how to get a program like this really effective, because recent research by the Ponemon Institute indicates that employee training is the third-most-effective method of decreasing the per capita cost of a breach, right after extensive use of encryption and assignment of an incident response team.
They recommend:
- Consider frequent and interactive training sessions
- It’s a case of train, retrain, and repeat
- Use the tried and true method of simulation, sending out mock-phishing emails
However, 48% in a major recent survey say they do not have an employee security awareness
training program
A recent report by PriceWaterhouseCooper called "Strengthening digital society against cyber shocks", covering key findings from the global state of information security survey 2018 showed that:
- "Forty-four percent of the 9,500 executives in 122 countries surveyed by the
2018 GSISS say they do not have an overall information security strategy. - Forty-eight percent say they do not have an employee security awareness
training program, and 54% say they do not have an inciden tresponse process.
“Many organizations need to evaluate their digital risk and focus on building resilience for the inevitable,” said Sean Joyce, PwC’s US Cybersecurity and Privacy Leader.
We can add to this the following from a ransomware report by AlienVault:
- Security professionals rank user awareness training the most effective tactic to prevent and block ransomware (77%) followed by endpoint security solutions (73%), and patching of operating systems (72%) as preventive approaches to ransomware threats.
Harvard Business Review ends off with: "It’s true that to err is human, and humans will keep erring. But increasingly, technology and improved practices can help you identify those employees who are most at risk of exposing your company to a cyberattack — before it becomes a major problem.
Excellent ammo to add to a request for IT security budget for security awareness training. Here is a direct link to the article: https://hbr.org/2017/12/which-of-your-employees-are-most-likely-to-expose-your-company-to-a-cyberattack
I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
https://info.knowbe4.com/kmsat_get_a_quote_now
Let's stay safe out there.
Warm regards,
Stu Sjouwerman,
Founder and CEO, KnowBe4, Inc
