Skip to main content

Your employees can be your greatest security asset (or your greatest vulnerability)

security
(Image credit: Shutterstock / Khakimullin Aleksandr)

Many cybersecurity professionals consider humans a huge vulnerability when it comes to keeping a business secure. While this is true, employees can actually become fantastic security assets with the right support and training. 

Whether an employee falls foul of a phishing scam or makes a simple mistake — such as forgetting to BCC patient email addresses, as in the case of the 56 Dean Street Clinic — humans play a large role in the security of your business and its data. A company culture rooted in robust cybersecurity practices and supported with the right technology can help minimize the risk from attackers, human error, and willful rule-breaking.

Insider risk 

Employees are your biggest security vulnerability, especially when considering how many security breaches start with social engineering scams like phishing emails. While some employees may intentionally leak data, most security breaches come from a lack of knowledge surrounding cybersecurity threats.

People are targeted by attackers 

Hackers know employees are vulnerable and have plenty of sophisticated methods for making people think they are legitimate. Many employees will know about the more common phishing emails — such as an ‘inheritance’ from a long-lost relative — but they might not be able to spot other social engineering scams that could lead to the installation of malware on the business network. These could come from phishing emails or phone calls where an attacker pretends to be a supplier, government agency, or other trusted contact.

Similarly, an attacker might try to gain access in person. Whether that means posing as a contractor, maintenance person, or supplier, it only takes plugging in a simple USB device to compromise an entire network. However, these attacks are rarer. Email phishing scams are by the most common type of social engineering attack.

They’re also one of the most lucrative for attackers, with Egress research finding that 73 percent of organizations were the victim of a successful phishing attack over the last year. The best protection against these attacks is security software with machine learning and natural language processing capabilities that can root out dangerous emails and stop them from ever reaching a user’s inbox. On top of this, training will help employees to spot a range of social engineering scams via email — making them less likely to fall for an attacker’s tricks.

Honest mistakes 

Humans make mistakes, it’s only natural. Human error is one of the leading causes of cybersecurity incidents – in fact, recent research by Egress found that 84 percent of organizations have suffered a data breach caused by human error. However, you can take steps to help avoid this. Firstly, your staff need to understand data protection policies and security procedures. Regular training and awareness campaigns will help keep this information fresh in the minds of all employees.

An example of this is a data breach caused by something as simple as an employee sending an email to the wrong person. If employees understand the risks associated with these kinds of mistakes, they’ll take their time over the emails they send to help minimize these errors. Although even with the best training, people will still make mistakes. Intelligent data loss prevention technology powered by machine learning can mitigate that risk by providing another layer of defense.

Malicious action 

People also sometimes break the rules. This is especially true if employees see security procedures as getting in the way of their productivity. That means it’s essential to implement easy-to-use security tools that don't take up too much of the employee’s time. This simplicity, plus proper training on the risks associated with sharing passwords, devices, and security keys, can encourage employees to make the right decisions. 

Intentional exfiltration of data is also an issue. Relevant security policies for resigning staff will help protect against this, but there should also be technology in place to help guard against malicious activity from disgruntled employees or those who have been fired.

Plot twist: Employees could be your greatest strength 

Employees might be a risk to your security, but they can also be an incredible asset. It all comes down to developing the right security culture and empowering staff with the right technology.

Training

Here is where employee training comes into place. Most people don’t know they’re the weak link and assume there are defenses in place to protect against cybersecurity threats. It’s essential that they understand social engineering attacks and the role they have to play in keeping the business safe. 

You should ensure there’s a dialogue open between IT experts and employees — not only to keep cybersecurity at the front of everyone’s minds but also to keep everyone updated on the ever-evolving ways in which attackers might try to gain access.

Be security positive

A security-positive culture empowers employees to make the right decisions rather than punishing them for their mistakes. For example, they should understand best practices for passwords, have access to company policies, and be given the tools to make remembering their passwords easy without compromising security. Alongside this, it’s worth being open about security breaches, as discussing them more openly can help employees better understand the part they play in the security of the business.

Give employees what they need

One of the most critical aspects of empowering your employees is to give them the right tools to do the job. Human layer security solutions will help protect people against inbound phishing threats and protect them from outbound data loss as they send content by email. 

Equally important is active learning embedded into the technology that helps a user understand why an email is deemed suspicious or why they’ve received an alert about a potential data leak. Delivering this education in real-time validates your security awareness training programs, and ensures employees understand how their actions impact security. Additionally, they also see how the technology benefits them, helping to further support your security culture.       Humans with no training or technology to support them are a clear security weak link. But employee understanding paired with intelligent, automated security solutions can help protect your business from cybersecurity threats. With the right help, employees can become your greatest security asset.

Tony Pepper, CEO, Egress

Tony Pepper is the CEO and Co-Founder of Egress, and has a strong track record of successfully creating innovative technology solutions designed to meet the ever-growing demands of modern businesses.