Why people are a bigger threat than tech
When it comes to cyber security incidents and data breaches the blame has a habit of landing on the shoulders of nefarious cyber criminals or technological failures. To a large extent, this is fair. It is easy to blame the cyber criminal after all, it’s their attacks that cause the problems in the first place. The technology is also as easy to point a finger at when supposedly advanced solutions prove easy to exploit or bypass.
However, there is another party whose actions frequently open the door to cyber-attacks, and yet aren’t being equipped with the skills or resources to prevent this, the companies’ own employees. When going about normal daily activities like opening emails and reading documents many employees can fall victim to phishing attack opening the door to data breaches. Indeed, the UK Government's 2017 Cyber Security Breaches Survey reported that 46% of businesses fell victim to cyber-attacks that year, with a jaw-slackening 72% of these due to staff receiving and opening fraudulent emails.
Perhaps then, our focus has been all wrong. Rather than blaming the users or technology, and lamenting the fact that criminals exist, we can take a different approach to cyber security. We can empower our users to end the cycle of susceptibility and breaches that pervades throughout the workforce and put in place training and development programs to combat breaches before they arise.
How employees can open the doors to attack
As a means of illustrating some of the ways mostly well-meaning employees facilitate cyber-attacks, we’ll look at the some of the habits they possess which make the life of hackers easy, whilst putting the technology itself unfairly in the crosshairs of angry scrutiny.
Opening attachments to malicious emails: The most damaging of the bunch. Employees opening malicious emails and following links to malicious websites contributes to the majority of successful cyber-attacks.
Password nonchalance: You can have the most robust, technologically advanced software on the market, but if your password to accessing it is ‘1234’, you’re going to have a bad time. Employees using overly simple passwords, using the same passwords for multiple accounts, and failing to keep their passwords private make the lives of hackers unreasonably easy.
Data theft: According to cyber security software provider, Heimdal Security, a scary 59% of employees, when quitting or having been sacked, will steal proprietary corporate data.
Keeping open social media profiles: Key decision makers within a company displaying private information on open social media profiles, makes the task of identity theft with a view to carrying out cyber-attacks a cinch for would-be hackers.
BYOD: Convenient an option though it is in reducing overheads, 27% of businesses that have suffered a data breach have traced incidents back to their BYOD policy.
What’s important to remember, is that no technology can stop a cyber-attack completely, and with cyber-attacks (specifically phishing emails) constantly changing, evolving, and becoming more sophisticated, it is easy for even the most tech-savvy employee to get caught out. It’s for this reason that the following is of such critical importance…
Education, education, education
True in all walks of life, and certainly true for companies who want to stay ahead of cyber-attacks and protect their data and reputation, and manage the aftermath of one.
While the extent to which employees’ are susceptible to cyber-attack is worrying in itself. More worrying still, has been the lack of training within companies to properly address the problem. Human error and lack of education has been pinpointed as a root cause of breaches in a number of studies, and yet 80% of businesses are not addressing cyber training within their employee base.
Thankfully, this is a trend which looks set to change. The cyber-security market is seeing significant investment and consolidation, demonstrating the importance attached to this space. Competitors Cofense (formerly Phishme) and Wombat have recently been involved in major merger and acquisition activity, $400m and $225m respectively, while KnowBe4 has attracted $43.5m investment.
This spike in activity should precipitate a fresh drive towards bringing the workforce up to speed with current threats. Rather than this drive translating to coach-led courses in off-site stuffy conference rooms, there is another way. A way that is not only more cost-effective, but garners more formidable results.
The power of eLearning
eLearning is an approach to training and development which has enjoyed extraordinary success. The fact that the growth of the eLearning industry itself has exceeded over 900% since 2000 tells its own story.
The beauty of eLearning is that not only does it make absolute financial sense in that it is a far cheaper alternative overall, employees also love it. It has the sense of being contemporary and cutting-edge but also, because they can access platforms as and when is convenient, their ability to retain information rockets. Indeed, The Research Institute of America found that eLearning increases retention rates anywhere between 25% to 60%. Retention rates of coach-led training are low in comparison, topping at around 10%. With eLearning, employees have more control over the learning process. They manage the pace at which they learn and have the option to revisit the training as needed.
It’s a concept which has drawn the attention of some of the biggest corporations. After implementing an eLearning program within the company, IBM found that participants learned nearly five times more material without increasing time spent in training. By allowing for learning to take place over shorter periods, companies can reduce the time employees spend on training, thus allowing them to get back to work faster, which in return translates into revenue growth.
Moreover, according to a Brandon-Hall study, learning through eLearning typically requires employees to spend 40% - 60% less time learning the same material compared with a traditional classroom environment. Employees can navigate through digital courses when convenient ensuring interruption to workflow is kept at a minimum.
Perhaps it’s taken us this long to get here because it’s tough to admit that one of the biggest contributors to cyber-threats, is, in fact, ourselves. Pride though, has no place in an environment where businesses collectively are losing billions each year. If we can start to help our own people and provide them with the right skills and resources then we can turn the tide on cyber threats with proactive measures. The first of these must be education. Help in achieving this and empowering your employees is now out there, maybe it’s time you took a fresh look at your security priorities.
Alex Thomas, UK Sales Manager for Purplephish
Image Credit: Andrea Danti / Shutterstock