The Human Risk : How Users Become Breaches
“The call is coming from inside the house.” At least, that’s how the old horror movie trope goes. As it turns out, the same thing can be said for many system security breaches. While there are certainly malicious attacks that don’t rely on the actions of people inside your company, a surprising number can be put down to employee negligence. Although not necessarily malicious, this human risk factor can nonetheless open systems up for attacks. These can then result in everything from wasted hours fixing them to potential data breaches of confidential information.
It’s something that’s crucial to think about when formulating plans for data security, designed to keep your company (and customers) free from attacks.
The negligence problem
Clicking a dubious link which asks you to enter your personal information is one of those things tech-savvy people assume won’t happen to them — until it does. In a world in which we’re constantly bombarded with emails, and a login and password are the only things between our private information and the outside world, it’s understandable that people occasionally fall prey to practices such as phishing emails. Sadly, “occasionally” is all it takes for a system breach to take place.
These numbers might be even greater than you expect. According to a recent study, around 40 percent of data security breaches in companies were the result of employee negligence. What’s more, a massive 96 percent of Americans consider this kind of negligence to be a minor contributor to data breaches within companies.
Phishing emails are damaging precisely because of how simple they are. There is little expertise involved, which makes them a popular method of trying to extract confidential information from unwitting users. Worse, once a single employee’s login details are stolen, it’s possible for a hacker to access an entire work system and infect it with malicious malware.
While phishing emails are one way that employee negligence can lead to sensitive information being shared, it’s by no means the only type of carelessness that can lead to this outcome. Another big threat is the use of internet connections that aren’t properly secured. Unfortunately, this is a growing problem due to the increasing number of employees who work remotely for at least part of each week.
Unsecured internet connections are less of a problem if employees only work from home when they’re away from the office. However, it can be a big issue when logging into public Wi-Fi systems, such as accessing a work account from a local coffee shop. Hackers can exploit backdoors in these unsecured hotspots, and infiltrate systems using techniques like installing keystroke logging malware — able to reveal what is being typed on a victim’s computer. Failure to logout of computer systems can additionally be an issue if a laptop or mobile device is physically stolen by criminals. Considering the amount of data which can be accessed using a login, this could be considerably worse than losing a single confidential paper file.
The examples given so far have focused on negligence, rather than employees willfully inflicting harm. Unfortunately, this can be another potential source of breaches for businesses. From ex-employees who have been made redundant to people passed over for promotion, there are plenty of reasons someone you’ve hired could conceivably be upset in the workplace. Sadly, this can sometimes lead to them seeking retribution by causing damage to computer systems. This might include maliciously deleting crucial files to cause problems, leaking data, or installing malware. Depending on the approach, these instances can be difficult to detect and could cause long-term damage.
Solving the problem
There is no “one size fits all” solution to these issues. In the same way that there might be multiple points of weakness which lead to an attack, companies must have a multi-pronged strategy to try and close these potential vulnerabilities. An important step is to make sure that they have the necessary training in place to teach employees the important dos and don’ts of cybersecurity. This shouldn’t be a once-a-year exercise that bosses then expect to be taken seriously by employees. A company which emphasizes cybersecurity as part of its culture must make this a regular part of its work — and that most certainly includes remote workers and temporary contractors.
The other biggest step that companies can take to avoid these problems is to make sure that they have the proper security system in place. Artificial intelligence (AI) based risk monitoring systems can help uncover vulnerabilities and detect malicious behavior. Most of the examples of user-led breaches discussed here involve human error and carelessness, leading to potentially cataclysmic problems. An AI risk monitoring system is a crucial automated safety net that will safeguard your data, and it’s an investment that every company needs to make.