Employees are a major source of security breaches within companies. Unfortunately, the majority of security solutions are aimed at the technical aspects of preventing security breaches, whether it is providing firewalls, AI detection mechanisms, zero-trust networks, encryption, or something else. These solutions do little when it comes to preventing security breaches that come from employee maliciousness or lack of awareness.
Even the IT security audits that companies perform do not address the human element of security compromises that a social engineering audit would cover. The common reason is that companies budget for overall IT security audits since their industry examiners and insurance companies mandate them. However, funding for human behavior audits like social engineering often gets axed in times of budget negotiations.
Just how serious is employee negligence or malfeasance when it comes to security threats?
A Stanford University study found that 88% of security breaches were caused by employees. Common reasons given were employees getting distracted at work or at home (if they are working remotely) or employees mistaking an email as being legitimate because it allegedly came from someone they knew, such as a company official. The technique of masquerading a malicious email to make it look like it is coming from someone you know is called phishing. In the last four years, phishing has been the top cybercrime, according to the latest FBI Internet Crime Report. And according to the Anti-Phishing Working Group (APWG), 2022 was a record year for phishing, with the APWG logging almost 4.2 million attacks. The group also noted that since the beginning of 2019, the number of phishing attacks has grown by more than 150% per year.
With the growth of cyber espionage and tampering, the government has been at the forefront of implementing zero-trust networks; Okta's research found that 72% of government agencies are already using a zero-trust architecture. In part, this came about as the result of a 2021 Executive Order to bolster national cybersecurity.
Zero-trust networks can detect any IT assets or activities that are added, subtracted, or modified on the network, no matter where the activity or asset resides. This enables a central security function such as IT to monitor everyone that is signed on to networks throughout a company. Zero-trust activity logs and alert systems go a long way in preventing employee errors such as inadvertently adding an asset, subscribing to a cloud, downloading from a malicious website, etc.
More companies are closely monitoring employee email and website access. Companies can also make a concerted effort to better train their employees.
Companies that are achieving the best results are those that facilitate a tight collaboration between IT (responsible for monitoring security), HR (responsible for training and refresher training employees on security policies), and top management (who must wholeheartedly endorse a security culture within their companies).
End users won’t supplant IT staff or IT intervention for complex security issues, but if non-IT users are trained to become IT para-professionals who can attend to the security rudiments at the edges of enterprises, IT can leverage its security force while also expanding security consciousness into the end user base.
Many security vendors offer services and solutions—but not all offer security training for employees. Those that do are mindful that security is a holistic process that must engage employees as well as technology. These are the vendors that IT should consider as business partners.
The purchasing department interviews countless suppliers to assist in the building of company products. Purchasing agents check for supplier capabilities, capacities, product fit, pricing, etc.—but supplier security is often not on the checklist.
It should be.
Even if your own security practices are sound, your suppliers may not be. Admitting a supplier into your network that has weak or non-existent security is an invitation to a security breach.
Because employees are a major source of security breaches, social engineering audits should be performed annually. These audits enable you to see human holes in your security defenses that your software can't detect. The auditors you employ will also be coming in with a set of best practices that they have developed from working with other firms and that they are happy to share.
Cybercriminals are increasingly targeting unsuspecting employees. It’s time for companies to do something about it.
Related articles:
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
In today’s data-driven world, higher educational institution networks and their management must be modernized to address the needs of everyone across campus. Enterprises face similar challenges and also need to modernize their networks.
