What do employees mean to commercial security risks?

Security breaches continue to make front page news on a regular basis, such as those to telecommunications group TalkTalk and social media giant LinkedIn, and it raises the question whether organisations are implementing the right measures to stop this from becoming an everyday occurrence.

At the same time cybercriminals are having an increasing presence within our rapidly evolving online society and are adopting new ways of accessing applications and internal systems.

Whilst the frequency of reported security breaches should prompt businesses to review the way in which they protect the sensitive data they hold within their business, a third (33 per cent) of large organisations say the responsibility for ensuring data is protected, is not clear. Additionally, almost three quarters (72 per cent) of companies where the security policy was poorly understood had experienced staff related breaches.

Businesses need to understand how cybercriminals are increasingly gaining access to their internal systems before they can mitigate this risk. With a recent report by Intel finding that 42 per cent of all data loss cases in the UK are caused by internal factors, employees are more and more considered as the weakest link when it comes to information security. This should be a growing concern for businesses, especially considering how hackers are continuing to take a much more calculated approach when it comes to infiltrating your business network.

A lot of this is down to phishing scams, where fraudsters attempt to acquire sensitive information, for example usernames, passwords and credit card details or steal money by masquerading as a trustworthy entity via an email, pop-up message, phone call or text message. Once a cybercriminal has this information, obtained by a phishing scam or any number of other common social engineering techniques, they can access the entire corporate network and the sensitive data held within it.

In fact it is getting so bad that UK-based Action Fraud reveals that it now receives 8,000 reports of phishing scams every month. Email is by far the most common attack vector with over two thirds (68 per cent) of people who reported a phishing scam saying that is how they were contacted. This compares to 12.5 per cent of people who said they were contacted by phone, 8.9 per cent of people who reported that they received a text message and the rest claiming they were contacted in another way.

The process of phishing is often very swift too. According to a recent report by Verizon, it takes cyber criminals just 82 seconds to ensnare the average victim in a phishing scam, with almost a quarter ( 23 per cent) of people likely to open a phishing email.

Whether it’s down to human error, a phishing scam or an intention leak, organisations of all sizes need to embrace employee education as part of their security policies. Not only will this educate employees on the risk and potentially crippling costs associated with data breaches, but will also provide insight into the types of phishing scams that they are likely to fall victim to. Employees need to understand the risk that such breaches pose to the organisation and be able to alert the IT team if they are being specifically targeted, with education playing a significant role in this

The fact that modern phishing techniques are getting increasingly hard to spot is only intensifying the problem, with even the savviest employees struggling to spot potential threats. Whilst education of staff is important, it is also imperative to have a safety net so that you can understand exactly how data is moving in, around and out of your organisation.

Only by gaining greater visibility, analysis and control of all communications channels can businesses mitigate the cost of sensitive data leaving the safety of the organisation. To facilitate this, organisations need to be able to monitor each employee’s use of corporate assets at the most basic level, regardless of whether users are in-office or mobile. Solutions such as cloud application control (CAC) solutions can provide businesses with this visibility and the ability to discover, analyse and control the information staff are accessing or sharing.

With the added pressures of the digital transformation impacting how and where we work, employees are increasingly opting to work outside of the traditional office environment. Because of this businesses need to ensure that the right employees have the right access to company information and systems, no matter where they’re working from. With access privileges morphing depending on whether they are in, or out, of the office.

Multi-factor authentication can play a dominant role within an organisation’s cybersecurity strategy to help facilitate visibility of the use of cloud apps – authorised or otherwise – so that they can spot when a phishing attempt may be leading to a sustained data breach and help mitigate the associated fall out.

Grahame Smee, VP of sales at CensorNet

Photo credit: jijomathaidesigners / Shutterstock