Your workers may be your greatest security risk.
One-quarter of all data breaches last year resulted from successful social engineering attacks (when employees are manipulated into taking certain action or divulging confidential information). The human element refers to errors made by users that put information assets at risk. Common examples called out in the report include cloud misconfigurations, the use of weak passwords and the failure to implement patches. When human error and privilege misuse are combined, the human element accounted for 82% of data breaches in 2021.
The human element of cyber security is a multi-faceted problem. So, organisations must develop a comprehensive risk management strategy, which incorporates the right security tools, incident response procedures and employee training to protect against the worst-case scenario.
Insider threats are internal players – such as employees, supply chain partners or contractors – who put cyber security at risk. Accidental insiders do not intentionally cause harm, but do so anyway because of factors such as inattention, a lack of understanding or mistakes.
Research shows that accidental insiders are one of the biggest threats to data security today:
ICO and General Data Protection Regulation (“GDPR”) fines over the last few years also highlight the reality of accidental insiders. In Q3 of 2022, 2,404 breaches reported to the ICO were a result of “mistakes by users”.
In 2020, a Google Drive containing sensitive information about the NHS COVID-19 contact tracing application was left open for public viewing. In that instance, it appeared that an NHS employee uploaded the documents to Google Drive without checking that the configuration settings were private, leading to the leak.
There are numerous ways in which a breach or leak could occur – such as:
Changing employee awareness, behaviour and culture doesn’t happen overnight. It requires training, contextual insight and an understanding of the impact that specific controls can have before they are implemented. It is important to find the balance between worker productivity/ efficiency and risk control.
For a comprehensive view on how to protect your organisation from insider threats and other cyber attacks, we recommend reviewing NIST’s Cybersecurity Framework and/or the National Cyber Security Centre’s (“NCSC”) 10 Steps to Cyber Security. Both offer guidelines and best practices for protecting organisations from the data loss associated with insider threats.
Below are three key considerations for protecting against human error:
A 2019 report from the SANS institute identified two significant gaps in insider threat defences: a lack of visibility into user behaviour, and a lack of privileged access management. These gaps are the most likely to enable attacks like phishing and use of compromised credentials.
To mitigate these risks, security solutions such as User Behaviour Analytics (“UEBA”) and privileged access control should be implemented. UEBA works by using AI and data analytics to review user activity and spot any risky behaviour – such as a user attempting to download documents that they shouldn’t be accessing or sending a sensitive file to an unsanctioned email address. The software can then alert your IT personnel so that they can educate the end user. Some solutions even prevent the user from completing the risky action and flag that they will need authorization to continue.
Privileged access controls are based on the principle of zero trust security – which governs that users should have as little access privileges as necessary to carry out their job. In the battle against compromised passwords and email accounts, privileged access management is essential to limiting data loss.
Recent Ponemon research found that 63% of insider threats are caused by employee or contractor negligence. The best way to combat this negligence is through the ‘ABC’ of security improvement: awareness, behaviour modification and an improved security culture. This can be achieved through a combination of formal training, informal awareness sessions, updates, guidance and assurance exercises, like employee phishing tests.
Chances are your organisation already has a cyber security training programme in some form such as an e-learning course or similar. While there’s nothing wrong with e-learning courses or an annual cybersecurity offsite, it’s important that you don’t treat training as a tick-box exercise. For it to have a positive impact, employees need to find training engaging and worthwhile.
At Evalian, we advocate dynamic, ongoing and tailored cyber security training to minimise the risk of accidental data loss. This is because every organisation is unique, meaning that blanket training programmes will never quite fit the idiosyncrasies of individual companies.
What’s more, any cybersecurity efforts that reduce employee productivity aren’t likely to stick. So it’s best that training is bite-sized but regular, having a minimal impact on your employees’ workflow.
As NIST’s cybersecurity framework notes, to protect your company from insider threats, you need to understand what data you have and protect it. Aim to identify what sensitive data your organisation holds, how it is stored, who has access to it and why, and what protections there are to safeguard it.
Implement solutions like encryption, privileged access management and data loss prevention to protect sensitive data from both insider and external threats.
Put in place incident response procedures preempting the worse-case scenario. Create a detailed plan of how your company will react to a cyber security incident so that you can take a quick, measured approach to preventing data loss or a breach.
In the increasingly digital world of business, accidental insider threats are a fact of life. However, these mistakes do not have to lead to a costly data breach. With the right proactive strategy and tools, your company can ensure that the risks associated with human error are mitigated.
From data protection and penetration testing to cyber security & ISO certification, Evalian offers training, consultations, assessments and more.
.png)
Optimize device usage, minimize operating costs, and free up hours of IT Team time by managing the device lifecycle with Hofy.
From security and cost savings to efficiency and onboarding, here's why zero touch deployment should be your go-to method for equipping remote teams.
From IT security and productivity to optimizing spend and staying ahead of competition, the benefits of upgrading employee devices explained.
By working with a company which has achieved SOC 2 certification like Hofy, it makes it easier for your organisation to also become SOC 2 compliant.
.png)
.png)
Your workers may be your greatest security risk.
One-quarter of all data breaches last year resulted from successful social engineering attacks (when employees are manipulated into taking certain action or divulging confidential information). The human element refers to errors made by users that put information assets at risk. Common examples called out in the report include cloud misconfigurations, the use of weak passwords and the failure to implement patches. When human error and privilege misuse are combined, the human element accounted for 82% of data breaches in 2021.
The human element of cyber security is a multi-faceted problem. So, organisations must develop a comprehensive risk management strategy, which incorporates the right security tools, incident response procedures and employee training to protect against the worst-case scenario.
Insider threats are internal players – such as employees, supply chain partners or contractors – who put cyber security at risk. Accidental insiders do not intentionally cause harm, but do so anyway because of factors such as inattention, a lack of understanding or mistakes.
Research shows that accidental insiders are one of the biggest threats to data security today:
ICO and General Data Protection Regulation (“GDPR”) fines over the last few years also highlight the reality of accidental insiders. In Q3 of 2022, 2,404 breaches reported to the ICO were a result of “mistakes by users”.
In 2020, a Google Drive containing sensitive information about the NHS COVID-19 contact tracing application was left open for public viewing. In that instance, it appeared that an NHS employee uploaded the documents to Google Drive without checking that the configuration settings were private, leading to the leak.
There are numerous ways in which a breach or leak could occur – such as:
Changing employee awareness, behaviour and culture doesn’t happen overnight. It requires training, contextual insight and an understanding of the impact that specific controls can have before they are implemented. It is important to find the balance between worker productivity/ efficiency and risk control.
For a comprehensive view on how to protect your organisation from insider threats and other cyber attacks, we recommend reviewing NIST’s Cybersecurity Framework and/or the National Cyber Security Centre’s (“NCSC”) 10 Steps to Cyber Security. Both offer guidelines and best practices for protecting organisations from the data loss associated with insider threats.
Below are three key considerations for protecting against human error:
A 2019 report from the SANS institute identified two significant gaps in insider threat defences: a lack of visibility into user behaviour, and a lack of privileged access management. These gaps are the most likely to enable attacks like phishing and use of compromised credentials.
To mitigate these risks, security solutions such as User Behaviour Analytics (“UEBA”) and privileged access control should be implemented. UEBA works by using AI and data analytics to review user activity and spot any risky behaviour – such as a user attempting to download documents that they shouldn’t be accessing or sending a sensitive file to an unsanctioned email address. The software can then alert your IT personnel so that they can educate the end user. Some solutions even prevent the user from completing the risky action and flag that they will need authorization to continue.
Privileged access controls are based on the principle of zero trust security – which governs that users should have as little access privileges as necessary to carry out their job. In the battle against compromised passwords and email accounts, privileged access management is essential to limiting data loss.
Recent Ponemon research found that 63% of insider threats are caused by employee or contractor negligence. The best way to combat this negligence is through the ‘ABC’ of security improvement: awareness, behaviour modification and an improved security culture. This can be achieved through a combination of formal training, informal awareness sessions, updates, guidance and assurance exercises, like employee phishing tests.
Chances are your organisation already has a cyber security training programme in some form such as an e-learning course or similar. While there’s nothing wrong with e-learning courses or an annual cybersecurity offsite, it’s important that you don’t treat training as a tick-box exercise. For it to have a positive impact, employees need to find training engaging and worthwhile.
At Evalian, we advocate dynamic, ongoing and tailored cyber security training to minimise the risk of accidental data loss. This is because every organisation is unique, meaning that blanket training programmes will never quite fit the idiosyncrasies of individual companies.
What’s more, any cybersecurity efforts that reduce employee productivity aren’t likely to stick. So it’s best that training is bite-sized but regular, having a minimal impact on your employees’ workflow.
As NIST’s cybersecurity framework notes, to protect your company from insider threats, you need to understand what data you have and protect it. Aim to identify what sensitive data your organisation holds, how it is stored, who has access to it and why, and what protections there are to safeguard it.
Implement solutions like encryption, privileged access management and data loss prevention to protect sensitive data from both insider and external threats.
Put in place incident response procedures preempting the worse-case scenario. Create a detailed plan of how your company will react to a cyber security incident so that you can take a quick, measured approach to preventing data loss or a breach.
In the increasingly digital world of business, accidental insider threats are a fact of life. However, these mistakes do not have to lead to a costly data breach. With the right proactive strategy and tools, your company can ensure that the risks associated with human error are mitigated.
.jpg)
From defining your value proposition to launching with go-to-market, CPO & Co-Founder of Hofy Michael Ginzo outlines a simple plan for your startup marketing strategy.
.jpg)
There comes a time when the cost of depreciation outweighs the savings you made by buying in bulk - and it may be much sooner in a device’s lifecycle than you think.
Guarantee that the data on your devices is permanently and irreversibly destroyed to NIST 800-88 Purge standard. A certificate of completion will be automatically generated and uploaded to the Hofy platform.
.png){kind=small}
