Kon Leong at Harvard Business Review writes an excellent article on cybercrime. He points out the problem of employees exposing your business through human error.
He said: "Today, cybersecurity has expanded far beyond its traditional domain of external threats, typified by external hackers attacking network vulnerabilities. It now includes insider threats, which are much more complex and difficult to manage, as evidenced by some very serious recent insider breaches, such as those involving Edward Snowden and Chelsea Manning. The nature of insider threats can be categorized into malicious, accidental, or negligent."
Human action is most often responsible for security breaches. Simply correcting bad behavior will not solve cybersecurity problems.
So, which department has the most risk?
TechRepublic wrote: "People are always the weak link when it comes to enterprise cybersecurity. But some departments are more likely to get hit and fall victim to cybercrime attacks than others.
Three departments that are often most likely to fall victim to cybercrime attacks are:
- IT and Development. They are not immune to mistakes or attacks. These attacks result in security breaches, as 2017 has proved, said Forrester analyst Jeff Pollard.
- Finance. Pollard also said a large number of attacks in 2016 and 2017 targeted procurement and finance teams. The attacks asked employees to transfer large sums of money to the attackers, bypassing normal accounts payable procedures and controls.
- The C-Suite. A recent report from iPass, says C-level executives—including the CEO—have the highest risk of being hacked. These employees are often working long hours. They are often working outside of the office. They have unrestricted access to the most sensitive company data. This makes them highly valuable and available targets.
The Harvard Business Review article suggests four areas where risk can be significantly reduced:
- Rethink employee training
In order to make a meaningful and lasting impact on employee behavior, organizations should instead consider frequent and interactive training sessions.
- Identify high-risk users and intervene
By identifying signs of risky behavior, organizations can stage strategic intervention with high-risk users.
- Shape the solution to the human user and not vice versa
Since a perfectly secure system is often unusable. Companies need to engage end-users to find out what’s realistic to support cybersecurity efforts.
- Constantly adapt to changing threats
Increasingly, technology and improved practices can help you identify those employees who are most at risk of exposing your company to a cyberattack — before it becomes a major problem.
Recent research by the Ponemon Institute indicates that employee training is the third-most-effective method of decreasing the per capita cost of a breach.
However, 48% in a recent major survey say they do not have an employee security awareness training program.
"Strengthening Digital Society Against Cyber Shocks", a PriceWaterhouseCoopers (PWC) report, covers key findings from the global state of information security survey 2018:
- 44% of the 9,500 executives in 122 countries surveyed by the 2018 say they do not have an overall information security strategy.
- 48% say they do not have an employee security awareness training program, and 54% say they do not have an incident response process.
As a result, “many organizations need to evaluate their digital risk and focus on building resilience for the inevitable,” said Sean Joyce, PWC’s US Cybersecurity and Privacy Leader. A human firewall is a critical piece of that puzzle.
In summary, businesses have got to start training and phishing their users ASAP, because filters never catch all of it. At E-N Computers, we commit to education. In order to be fully responsible, we believe in training. But we also believe in having a plan and we have process.