Often organizations overlook the importance of their employees and their involvement when it comes to planning their security strategy – simply focusing on the technology to be implemented. These important individuals hold business critical services and the company’s brand reputation in their hands. Technology alone should never been seen as a one-stop-shop when it comes to implementing a successful security strategy – never underestimate the need to invest in the education of your workforce.
Opportunistic data attacks often go via employees
Employees can be an easy route for any opportunistic hacker looking to find their way into an organization, as they commonly make mistakes that leave their organization’s IT doors wide open. In fact, the Verizon 2013 Data Breach Investigations Report (DBIR), which analyzed 621 confirmed network intrusions, found that employees were often the weakest link when it came to keeping companies secure.
We found that 76 percent of incidents occurred as a result of attackers exploiting weak or stolen passwords or credentials to gain unauthorized access. This shouldn’t come as a surprise, as using someone else’s login credentials is an easy and obvious way for an intruder to remain undetected. The reality is that passwords are often easily guessable, or the same password is used across a number of personal and business accounts - common pitfalls that trap many employees.
Another common vulnerability is through social engineering tactics such as phishing scams, where hackers will try to trick employees into giving away their information or downloading malware. For example, the cybercriminal will send out a carefully tailored e-mail that looks completely genuine to a network administrator, inciting them to click on a link, download an attachment, or fill in an online form; thereby downloading a piece of malware or giving away their login credentials.
Invest in employees - they also safe-guard your brand
In reality, many businesses that fall victims to cyberattacks don’t have the basic security practices in place. These range from identifying the organization’s most critical assets and data, to implementing stronger controls to manage the risk. Overlooking the most basic steps can lead to disaster. Awareness is the first and best line of defense against cyber-criminals, and it is a lack of this basic awareness in some organizations that leads to the repeated success of the majority of cyberattacks.
A major part of preventing common security incidents is by ensuring that employees know and understand the risks of their digital actions. They need to make sure that they don’t play into the hands of cybercriminals by unintentionally inviting them in. Beyond that, CIOs need to stay in touch with the latest security threats, and share that knowledge throughout the organization.
Training staff is an ongoing process -- repetition…repetition…repetition - is the name of the game here. Regular practice sessions are essential to ensure that staff is ready for an Advanced Persistent Threat (APT) attack.
Time doesn’t stand still and neither does anything else in business
We often get asked "why can’t technology just stop employees doing what they’re not supposed to do?" Well, like time, business and everything concerned with it – whether employee or customer demands, technology or mobile devices - does not stand still. The battle against cybercrime is constant – just as new security techniques are implemented, cybercriminals are trying to break them. Any organization would be complacent to think that technology alone will combat this, or that employee education isn’t required.
For example, let’s just consider a couple of scenarios:
- Mobile devices: we believe that lost and stolen – and unencrypted -- mobile devices will continue to be a far greater threat than hacking and malware. Technology alone cannot help an employee understand the importance of keeping a mobile device safe and secure at all times. Security risks have increased exponentially as employees use a growing number of devices and access points to log-in to the network, leaving businesses exposed to increasingly sophisticated attacks.
- Insider attacks: cybercriminals can also enlist the direct help of employees (sometimes willingly) to engage in "insider" attacks against an organization in order to obtain information. Again – employee education would be required to enable such an interaction to be recognized, so it can be dealt with immediately.
In a recent "sneak peak" into Verizon’s 2014 DBIR, Wade Baker, managing principal for the RISK team commented, "The most disturbing trend we are seeing among the data is that hackers are getting better at their jobs and the security community is not improving fast enough to keep up in the fight against cybercrime."
Organizations should remember that employees are the most valuable aspect of any business and also the most intelligent – they should be trained on security requirements and recognize security as an integral element of their job. Technology alone is not a complete defense against security attacks. But the good thing is that simple steps, done regularly, are often all it takes to bring this extra line of defense to bear against the cyber-threat.
Learn more about how Verizon can bring a wealth of intelligence, experience, procedures and processes to your security strategy.
Sign up to become a Verizon Security Insider and receive a copy of our next Data Breach Investigations Report before the official launch.
