Threat from Within

Why your employees may pose the greatest threat to your cybersecurity defence

Cyberattacks consistently top the lists of risks to businesses and many owners and managers are shoring up their defences by deploying a range of security measures. But despite all the updating of software, using anti-spyware, enabling multi-factor authentication and rigorous back-up protocols, one area that businesses can neglect is the human element. Poor employee cybersecurity practices can open the door to hackers and expose the business to a multitude of threats from phishing to ransomware.

According to Verizon Business’ 2023 Data Breach Investigations Report, the human element accounted for most cyber incidents in the past year and was a factor in 74% of total breaches.

In a security context, human error means unintentional actions – or lack of action – by employees and users that cause, spread or allow a security breach to take place.

Malicious, negligent, and compromised users are a serious and growing risk. The Ponemon Institute’s 2022 Cost of Insider Threats: Global Report revealed that insider threat incidents had risen 44% between 2020 and 2022, with costs per incident up 34% to $15.38 million.

It is a risk more employers are concerned about. Data leakages of internal systems caused either by cyberattacks (23%) or employees (22%) are the most concerning security issues encountered by SMEs, according to a 2023 survey by Kaspersky IT Security Economics.

According to a report from Mimecast, 43% of organisations named insufficient employee awareness of the risks that cyber presents as the biggest security challenge they face in 2023. “Year on year, our research shows employees are a top concern for businesses when it comes to privacy, and eight out of 10 respondents (78%) believe their company is at risk due to inadvertent data leaks by careless or negligent employees,” Mimecast director of solutions engineering APAC, Garrett O’Hara, is reported to have said.

As Australian businesses focus on their cyber resilience (Trend Micro’s Cyber Risk Index shows Australian CRI is improving), there is still much to be done as employees remain a source of risk. Trend Micro found Australian organisations consider employees to be a major risk. “The first step to managing this is to gain complete and continuous attack surface visibility and control”, said Mick McCluney, technical director for Australia at Trend Micro, as reported by ITWire.

Insider threats stem from one of three main sources – negligent or inadvertent users, criminal or malicious insiders, or attackers who stole user credentials.

Negligent employees

‘Negligence’ basically comes down to human error. While the opportunities for human error are almost infinite, they can broadly be categorised into two different types – skill-based and decision-based errors. Skill-based errors are generally minor errors that occur while carrying out a daily task or familiar activity. The user knows what the correct course of action is, but fails to take it due to a temporary lapse, mistake or carelessness which may be caused by the user being tired, not paying attention, being distracted, or otherwise having a brief lapse of memory. On the other hand, decision-based errors are the ones where the user makes a faulty decision. There can be a number of different factors that play into this, for example the user does not have the necessary level of knowledge, does not have enough information about the specific circumstance, or does not even realise that they are making a decision through their inaction.

Security breaches often result from lax cyber security practices by employees. According to cyber security awareness and training firm KnowBe4, the top 10 risky employee behaviours are:

1. Accessing or watching entertainment/streaming services.
2. Accessing gaming websites.
3. Responding to “greymail” (a type of email that falls between unwanted spam and desired emails, like a newsletter or marketing alert).
4. Logging on to adult websites.
5. Using an unauthorised or malicious application.
6. Accessing risky websites.
7. Unauthorised use of removable media (such as USB drives).
8. Sharing of personally identifiable information (PII).
9. Using cloud backup or cloud storage.
10. Opening malicious email attachments.

To reduce the risk of poor cyber security practices putting your business at risk:

• Have clear policies about private/personal use of company-owned devices and systems.
• Provide ongoing cybersecurity training, ensuring employees understand security basics – recognising cyber risks (including scams and phishing), best password practices and handling confidential information.
• Install security software that includes a firewall, anti-virus and anti-spyware – research from cybersecurity provider Pala Alto Networks revealed that 66% of malware was delivered through PDF in 2022.
• Do not continue using end-of-life (unsupported) software.
• Ensure security patches and updates are performed.
• Implement access control.
• Control cloud app use with encryption.
• Secure WiFi networks.
• Ensure any default settings on devices are changed.
• Use file encryption.
• Use endpoint detection and response (EDR) tools.
• Set up and perform regular back-ups.

Employees with malicious intent

Although less prevalent than negligence, employees who deliberately cause harm to the business can be an even greater threat. Whether for personal gain (financial, ideological etc.) or as retaliation, employees may purposefully cause a data breach, steal sensitive information, delete data or distribute malware within the business’ systems.

As employees are likely to know the weaknesses of the business’ cybersecurity and the location and nature of sensitive data they can exploit, employees with malicious intent can wreak havoc.

In these instances, combatting the issue may be less a cybersecurity function than a human resource one:

• Screen potential employees (as best one can within the legal boundaries) to identify potential red flags, for example concerning ideological values, personal issues like gambling, drinking, financial or marital problems, or termination from employment for misconduct or fraud.
• Keep on top of workplace matters that might lead to disgruntled employees, for example redundancies, demotions, restructuring or poor performance reviews.
• Watch for signs of destructive behaviour, for example an increasingly negative attitude or concerning language in digital or other communications.

On the cybersecurity side:

• Use privileged access management to ensure employees only have access to the information and systems they need to do their jobs (restricted access and administrator controls).
• Have strict policies in relation to BYO devices and use of company-owned devices outside of the workplace.
• Immediately revoke access to accounts and systems for any terminated employee (usernames and passwords should be immediately shut down).
• Restrict administrator-level access for installing hardware and software and control physical access to servers.
• Encrypt sensitive information.
• Consider use of employee monitoring software.

Stolen employee credentials

It is not uncommon for employees to be ‘tricked’ into giving a hacker access to the business’ data. The unscrupulous exploit human vulnerabilities to gain access to the systems by stealing credentials or releasing malware. According to Trend Micro, login attacks (credential theft) is one of the top four cyber threats globally.

One of the most common ways hackers exploit human nature is via social engineering. Social engineering involves exploiting people and convincing them to take a particular action – like sharing personal information or downloading malware. Techniques used include phishing, spear phishing, smishing (SMS phishing), baiting (an attacker uses the greed or curiosity of the target), pre-texting (an attacker obtains information through a series of lies or scams to gain access to the confidential data of the target), scareware (the target believes that their system is infected with malware, to which an attacker offers a solution), quid pro quo (an attacker pretends to provide something to the target in exchange for some information), impersonation, business email compromise, and funds transfer fraud.

According to one cyber insurance provider, phishing accounted for 76% of reported cyber incidents in 2022 – more than six times greater than the next most common technique. Also on the rise is the use of artificial intelligence-assisted technology such as voice cloning (known as ‘deep fake’ voice technology).

Cybersecurity measures to deploy include:

• Training employees to identify social engineering approaches, which can include the employee oversharing on social media – many phishing and social engineering attacks occur on social media.
• Reminding employees to check messages they receive; avoid links that ask them to log in or reset their password; and to be careful opening files and downloading programs.
• Create a cultural where cybersecurity discussions are encouraged, and it is easy to ask questions.
• Using privileged access management.
• Applying security protocols to all employees, including those in senior leadership – management not only often possess a business’ most sensitive information but are often the least protected as many businesses make security protocol exceptions for them.
• Encrypting files.
• Turning on ransomware protection.
• Employing best practice for passwords – using passphrases, using strong passwords (containing letters, numbers and symbols), using a unique password for each account and device, never sharing passwords with co-workers, and scheduling compulsory password resets for employee devices and accounts.
• Restricting concurrent logins, and enforcing account monitoring and automatic logouts.
• Using multi-factor authentication – according to Microsoft, MFA can prevent over 99% of cyberattacks compromising accounts.
• Using Zero Trust Network Access to stop the use of compromised credentials.

Bottom line

Employees can be both the greatest risk to a business’ cybersecurity and also its best defence. A company’s security is only as strong as its weakest link, so ensure that you deploy all available security measures and engage in ongoing employee training.

It is also important to have contingencies in place in case a cyberattack penetrates the defences – have robust incident and recovery plans and also ensure your business is protected with the right insurances. Talk to your EBM Account Manager about a cyber policy and other covers that could prove invaluable.