Employees: The Weak Link in Your Company’s Cybersecurity
We’ve said it before, but it’s worth repeating, and time and again the evidence confirms it: employees are a significant threat to your organization’s cybersecurity. (See blog post: What’s the Biggest Cybersecurity Threat? Employees.) It’s not that they want to sabotage their employer necessarily, but the reality is that they are often the culprits of security breaches. Consider the evidence and learn how to bolster your defenses.
A REAL THREAT:
Each month, almost 90% of organizations experience at least one inside threat, and an average organization experiences 9.3 inside threats monthly, according to an October 2015 Skyhigh Networks report.
A December 9, 2015 study by the Association of Corporate Counsel Foundation reveals that, “although employee error is the most common reason for a breach…fewer than half of in-house counsels reported that mandatory training exists at their companies.”
This is similar to the findings presented in a June 2015 Insider Threat Report by Crowd Research Partners indicating that fewer than 50% of organizations have controls to prevent insider attacks.
Sixty-two percent of cybersecurity professionals see insider threats growing, according to First Advantage’s 2015 cybersecurity survey.
- And, 78% of security professionals say the biggest threat to endpoint security is negligent or careless employees who do not follow security protocols, as reported in 2015 by the Ponemon Institute.
To make matters worse, the tactics and trickery of cybercriminals keep changing; but they know employees are good targets. Last week, for example, Focus Data Solutions warned its clients of a new email scam related to fake wire transfer requests. The scammer sends an email to a target recipient, often pretending to be a senior executive inside the organization. Criminals usually send the fake wire transfer emails to employees working in the finance department, as those employees will have the ability to fulfill payment requests. An untrained, unsuspecting employee may be duped into making a costly error.
SOLUTIONS:
Specifically, for the wire transfer or similar scams, companies can take a number of steps:
1) Instruct employees never to respond or forward these type of emails without prior, credible authorization.
2) Create an internal authorization system for wire transfers that requires in-house signatures prior to transactions.
3) Require employees to confirm legitimate wire transfer requests via direct communication, such as direct telephone calls to a known, authorized contact point.
4) Never put accounting information, passcodes or banking instructions in an email.
More generally, the answer to the question of how to best to avoid inside threats is vigilance, established protocols, employee training, and a corporate culture that takes cybersecurity seriously.
For more help to determine the nature of cybersecurity theats, your organization’s vulnerability, and what you can do to thwart attacks, FDS has created a free resource for small and mid-sized companies in the form of an easy-to-understand e-book. (See button above)