The Cyber Security Threat From Employees

One of the biggest threats to cyber security in any organisation comes from its employees, even if they aren’t behaving maliciously. We all make mistakes. We are only human, after all. Unfortunately, when it comes to cyber security, that’s also kind of the problem. The human factors in cyber security are one of the biggest challenge when building an effective threat prevention strategy.

Human error is the leading cause of data and security breaches, responsible for over 90 percent of such incidents as they are not predicable, whereas technology and computers are predictable. 

Computer systems and tech related appliances will conduct the exact task they have been coded to perform. They have no free will nor will they apply their own decisions. They cannot interpret the orders given to them depending on whether they make sense, or, if they are ethical or not. Therefore, they are reliable.

On the other-hand people are weak in security awareness and governed by emotions, characteristic traits, personal views and ideologies that dictate their actions each day. 

Furthermore, they are manipulated by persuasion or curiosity and are susceptible to everyday mood changes. People are the weak link between an intruder and security and their behavior can lead to exploitation. Cyber-crime is solely human related and security is a people problem. 

Three reasons explain why technology and security are inter-correlated with humans. 

  • Firstly, people are in control of systems and technology, not the other way around. 
  • Secondly, people have monetary or data gains from exploiting it. 
  • Thirdly, there are victims that provide an easy target for malicious behavior. 

As a consequence, even though security tools and software are rapidly adapting to new complex threats, the threats are also changing to overcome the new barriers. Humans are adaptable and innovative and they can interpret instructions. Common mistakes from individuals can answer the question why is ransomware and other threats still spreading.

In order for any type of malware to run in a computer it has to be executed by a user. Firstly, it has to be downloaded and secondly, it has to ask for permission to run in the system. 

Both actions require a human to authorise them, whether the user knows what he or she is downloading. For that matter we need to make a clear distinction between intentional and thus malicious user and unintentional or naive user. Malicious users mainly exist inside organisations and companies that employ them.

The malicious insider usually possesses some level of technical skills and has a deeper motive behind his actions, namely, revenge for his mistreatment by a company or dissatisfaction for his salary. These attacks are specific and offer insight on the attacker himself. However interesting, the main issue at hand are everyday users who lack knowledge and motivation to adapt with technology. These users, named unintentional insiders, are the main issue that shed light to the human factor in the majority of ransomware attacks.

Ignorance is a key concept present in many cases of users. More often than not this will lead to accidental downloads of files the user doesn’t recognise or knows what they are. The failure to identify them makes the user curious as to what they are or if they are useful. 

Furthermore, the attack may seem like an official site or file that asks the user to download it and run it. In similar tests about Phishing e-mails, which are categorised as social attacks. Humans believe that such threats and attacks don’t involve them and would never happen. This leads to behavioral patterns like using simple passwords to access the system or even the same password for various systems.

Often an attack will be caused by a current or former employee, contractor, or business partner who has or had authorised access to an organisation’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information or information systems. 

When security incidents happen at a business, it’s important that employees are on hand to either spot the breach, or mitigate the risks. After all, while employees can pose a risk to companies (as seen in our findings thus far), they also have an important role to play in helping protect the companies they work for. However, employees don’t always take action when their company is hit by a security incident. In fact, in 40% of businesses around the world, employees hide an incident when it happens.

Technology is always changing and adapting, following the speedy evolution of systems, while users may fall behind. Hard to use new technologies that are introduced without firstly slowly introducing the changes can cause confusion to users, especially when they are not experts to the field.

Small and medium businesses are being targeted by cyber criminals much more frequently than individuals and they often end up paying ransomware to the hackers.

Organisations often bury the incident and do not report the attack. The dark number of ransomware attacks is such due to the fact that admitting it means the organisation or business lacked security procedures and placed their client’s data at risk. In the worst case scenario, the decryption key provided by the attacker is false and will not unlock the infected system, forcing the victim to report the crime.

In order to overcome these potential deficiencies organisations should implement a wide variety of training schemes in an attempt to educate end-users and we recommend GoCyber as a training package to test as it really engages and improves employees and managements cyber security.

Vircom:        NIST:       Kaspersky:      Dark Reading:         iCIO:          ResearchGate:       Semantic Scholar

You  Might Also Read:

Every Single Employee Requires Cyber Security Training:

 

« China's Surveillance State Extends Beyond Its Borders
Unicorn Hacked By ShinyHunters »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Security IT Summit

Security IT Summit

The Security IT Summit is a unique one-day event which allows senior IT & Cyber security professionals to meet with innovative and competitive suppliers to the industry.

L J Kushner & Associates

L J Kushner & Associates

L.J. Kushner is a leading Information Security recruiting firm.

DFLabs

DFLabs

DFlabs is a pioneer in Security Automation & Orchestration technology, leveraging your existing security products to dramatically reduce the response and remediation gap.

Exabeam

Exabeam

Exabeam provides security intelligence and management solutions to help organizations of any size protect their most valuable information.

National Cybersecurity Institute (NCI) - Excelsior College

National Cybersecurity Institute (NCI) - Excelsior College

NCI is Excelsior College’s research center dedicated to assisting government, industry, military and academic sectors meet the challenges in cybersecurity policy, technology and education.

Aujas

Aujas

Aujas helps organizations manage information security risks by protecting data, software, people and identities in alignment with best practices and compliance requirements.

NFIR

NFIR

NFIR is a specialist in the field of cyber security incident response and digital forensics.

AngelList

AngelList

AngelList champion startups and the people who empower them. Search tech & startup jobs, find new tech products, and invest in startups.

Cyber Security Operations Consulting (CyberSecOp)

Cyber Security Operations Consulting (CyberSecOp)

CyberSecOp is an ISO 27001 Certified Organization which provides cyber security operations services and risk management consulting.

Securolytics

Securolytics

Securolytics offers the simplest, most complete and affordable IoT security for all organizations. Securolytics quickly identifies unmanaged devices to reduce security and compliance risks.

Cardonet

Cardonet

Cardonet is an IT Support and IT Services business offering end-to-end IT services, 24x7 IT Support to IT Consultancy, Managed IT and Cyber Security.

Ciphertex Data Security

Ciphertex Data Security

Ciphertex is a leading data security company that specializes in portable data encryption and privacy protection storage systems.

Guidepost Solutions

Guidepost Solutions

Guidepost Solutions are a diverse, global team of investigators, experienced security and technology consultants, and compliance and monitoring experts.

Visory

Visory

Great businesses depend on great technology. We make sure our clients go to market with enterprise-level technology and world-class security for their data and infrastructure.

Cisilion

Cisilion

Cisilion's mission is simple – to transform and connect business with next-generation IT infrastructure. Our expertise includes enterprise networking, security, data centre & cloud, managed services.

SoftForum

SoftForum

SoftForum is a company specializing in next-generation information security solutions in the Quantum-Resistant-Cryptography (PQC) field.