The Cyber Security Threat From Employees

One of the biggest threats to cyber security in any organisation comes from its employees, even if they aren’t behaving maliciously. We all make mistakes. We are only human, after all. Unfortunately, when it comes to cyber security, that’s also kind of the problem. The human factors in cyber security are one of the biggest challenge when building an effective threat prevention strategy.

Human error is the leading cause of data and security breaches, responsible for over 90 percent of such incidents as they are not predicable, whereas technology and computers are predictable. 

Computer systems and tech related appliances will conduct the exact task they have been coded to perform. They have no free will nor will they apply their own decisions. They cannot interpret the orders given to them depending on whether they make sense, or, if they are ethical or not. Therefore, they are reliable.

On the other-hand people are weak in security awareness and governed by emotions, characteristic traits, personal views and ideologies that dictate their actions each day. 

Furthermore, they are manipulated by persuasion or curiosity and are susceptible to everyday mood changes. People are the weak link between an intruder and security and their behavior can lead to exploitation. Cyber-crime is solely human related and security is a people problem. 

Three reasons explain why technology and security are inter-correlated with humans. 

  • Firstly, people are in control of systems and technology, not the other way around. 
  • Secondly, people have monetary or data gains from exploiting it. 
  • Thirdly, there are victims that provide an easy target for malicious behavior. 

As a consequence, even though security tools and software are rapidly adapting to new complex threats, the threats are also changing to overcome the new barriers. Humans are adaptable and innovative and they can interpret instructions. Common mistakes from individuals can answer the question why is ransomware and other threats still spreading.

In order for any type of malware to run in a computer it has to be executed by a user. Firstly, it has to be downloaded and secondly, it has to ask for permission to run in the system. 

Both actions require a human to authorise them, whether the user knows what he or she is downloading. For that matter we need to make a clear distinction between intentional and thus malicious user and unintentional or naive user. Malicious users mainly exist inside organisations and companies that employ them.

The malicious insider usually possesses some level of technical skills and has a deeper motive behind his actions, namely, revenge for his mistreatment by a company or dissatisfaction for his salary. These attacks are specific and offer insight on the attacker himself. However interesting, the main issue at hand are everyday users who lack knowledge and motivation to adapt with technology. These users, named unintentional insiders, are the main issue that shed light to the human factor in the majority of ransomware attacks.

Ignorance is a key concept present in many cases of users. More often than not this will lead to accidental downloads of files the user doesn’t recognise or knows what they are. The failure to identify them makes the user curious as to what they are or if they are useful. 

Furthermore, the attack may seem like an official site or file that asks the user to download it and run it. In similar tests about Phishing e-mails, which are categorised as social attacks. Humans believe that such threats and attacks don’t involve them and would never happen. This leads to behavioral patterns like using simple passwords to access the system or even the same password for various systems.

Often an attack will be caused by a current or former employee, contractor, or business partner who has or had authorised access to an organisation’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information or information systems. 

When security incidents happen at a business, it’s important that employees are on hand to either spot the breach, or mitigate the risks. After all, while employees can pose a risk to companies (as seen in our findings thus far), they also have an important role to play in helping protect the companies they work for. However, employees don’t always take action when their company is hit by a security incident. In fact, in 40% of businesses around the world, employees hide an incident when it happens.

Technology is always changing and adapting, following the speedy evolution of systems, while users may fall behind. Hard to use new technologies that are introduced without firstly slowly introducing the changes can cause confusion to users, especially when they are not experts to the field.

Small and medium businesses are being targeted by cyber criminals much more frequently than individuals and they often end up paying ransomware to the hackers.

Organisations often bury the incident and do not report the attack. The dark number of ransomware attacks is such due to the fact that admitting it means the organisation or business lacked security procedures and placed their client’s data at risk. In the worst case scenario, the decryption key provided by the attacker is false and will not unlock the infected system, forcing the victim to report the crime.

In order to overcome these potential deficiencies organisations should implement a wide variety of training schemes in an attempt to educate end-users and we recommend GoCyber as a training package to test as it really engages and improves employees and managements cyber security.

Vircom:        NIST:       Kaspersky:      Dark Reading:         iCIO:          ResearchGate:       Semantic Scholar

You  Might Also Read:

Every Single Employee Requires Cyber Security Training:

 

« China's Surveillance State Extends Beyond Its Borders
Unicorn Hacked By ShinyHunters »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Centre for Secure Information Technologies (CSIT)

Centre for Secure Information Technologies (CSIT)

CSIT is a UK Innovation and Knowledge Centre (IKC) for secure information technologies. Our vision is to be a global innovation hub for cyber security.

Redjack

Redjack

Redjack is a cutting-edge network analytics company focused on enterprise and ISP security and intelligence solutions.

FarrPoint

FarrPoint

FarrPoint is a specialist telecoms consultancy providing a range of services including cyber security assessments and technical assurance to safeguard your data.

KLC Consulting

KLC Consulting

KLC Consulting offers information assurance / Security, IT Audit, and Information Technology products and services to government and Fortune 1000 companies.

Immersive Labs

Immersive Labs

Immersive Labs have created a kinesthetic learning platform which identifies gaps in your teams cyber skills.

CSO GmbH

CSO GmbH

CSO GmbH provide specialist consultancy services in the area of IT security.

DANAK

DANAK

DANAK is the national accreditation body for Denmark. The directory of members provides details of organisations offering certification services for ISO 27001.

American Cybersecurity Institute

American Cybersecurity Institute

American cybersecurity Institute is a newly formed not-for-profit organization dedicated to education, advocacy, study and analysis in the space of cybersecurity law and policy.

iHLS Startups Accelerator

iHLS Startups Accelerator

iHLS Accelerator is the first startup accelerator in the world in the security and homeland security field.

CyberKnight Technologies

CyberKnight Technologies

CyberKnight Technologies is a cybersecurity focused value-added-distributor (VAD) headquartered in Dubai and covering the Middle East.

AaDya

AaDya

AaDya provide smart, simple, affordable and effective cybersecurity software solutions for small and medium businesses.

Dhound

Dhound

Dhound is a cybersecurity company providing web application penetration testing.

Cubro Network Visibility

Cubro Network Visibility

Cubro network visibility solutions remove network monitoring ‘blind spots’ to provide enhanced visibility and control of all data transiting a company’s network.

Northdoor

Northdoor

Northdoor provides a comprehensive set of services around information security and works with leading global technology vendors to deploy and manage cyber security solutions.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.

ScamAdvisor

ScamAdvisor

ScamAdviser helps over 3 million consumers every month to discover if a website is legitimate or a possible scam.