Next time a major cyberattack grabs international headlines, try to ask random people how they think the incident occurred. It won’t be long before you come to a speedy conclusion. Many people perceive cyberattacks as an individual or group working to exploit existing operating system’s or corporate application’s vulnerabilities.
More often, though, bad actors will exploit a weak link resulting from human actions or inactions. In this article, we’ll discuss 9 human elements employees fall for that put your company at a cybersecurity risk. These include events or actions where human fallibility leads to a successful system hack and/or data breach.
What Cyberattacks Do to a Company
Human error remains one of the biggest pain points in enterprise cybersecurity. According to BakerHostetler’s 2021 Data Security Incident Response Report, 36% of incidents the law firm handled involved phishing, inadvertent disclosure, or stolen/lost devices/records. Some human-inflicted threats include sharing passwords, inconsistent patching, opening suspicious email attachments, and clicking on unsafe URLs. Another threat is accessing corporate networks from unauthorized and unsecured personal devices.
Aside from the risk to information, cyberattacks cost organizations billions of dollars each year. This only seems to have gotten worse in recent years.
A data breach’s cost is often multifaceted. The expense may involve the following:
- Contracting third-party cybersecurity experts
- Investigating the incident
- Closing the breach
- Cleaning up systems
- Upgrading security applications
- Notifying affected clients
- Risking customer confidence
- Denting brand image
- Suffering regulatory penalties and out-of-court settlements
According to IBM’s 2021 Cost of a Data Breach Report, the average breach’s cost was $4.24 million, the highest it’s been in 17 years. Employee-caused cyberattacks are responsible for a significant proportion of such incidents.
That said, what are the most common cybersecurity attacks companies face resulting from employee mishaps?
Common Employee Security Cyberattacks
If I wanted to count all the potential employee-caused attacks, the list would be endless. Let’s consider the attacks that would most likely originate from your staff.
Malware Infection
Malware is software installed without a user’s express or informed consent. This can happen if an employee opens a suspicious email attachment or visits an infected website. As the name suggests, once malware infects your system, it performs malicious, unauthorized actions. These actions could include accessing your network persistently, spying on users, disrupting your network, extorting you for money, and more.
Phishing Attack
Phishing occurs when an attacker deceives a victim (in this case your employee). They’d trick them to disclose sensitive customer or organization information, like passwords, credit card data, and confidential or strategic documents. You’d say but my employees aren’t that gullible. That’s true but attackers could send emails that seem to come from a trusted source. That way an unsuspecting employee would click the link and fall for the phishing attack.
Man in the Middle (MITM) Attack
An MITM attack occurs when bad actors intercept internet communication between two or more parties. The goal is to eavesdrop on messages, steal credentials, or capture confidential information. An MITM may happen when an employee uses public Wi-Fi.
You can easily avoid these attacks, though. Simply consider these 9 common factors that result in employee-driven cybersecurity threats.
9 Reasons Employees Become Cybersecurity Weak Links
The reasons employees endanger corporate systems and data range from deliberate sabotage to ignorant action. Once a cyber attack is in progress, your company’s systems and data are at risk, irrespective of how it started. Consider these 9 things that could lead to employee-driven cybersecurity threats.
1. Fatigue
Fatigue can result from the weight of your employee’s responsibilities at work. It can also come from the nature of activities they engage in while they’re away from the office. These often stretch your employees’ physical and mental limits.
Then, it spirals into a decline in concentration levels at work. Employees are just too tired to consistently follow company procedures on data protection and application security. This, in turn, increases the probability that they’ll make cybersecurity errors that may jeopardize your corporate systems and data.
Pro Tips:
- Contain fatigue by ensuring employees leave work on time
- Distribute work equitably to avoid overburdening one employee
2. Financial Need
Financial gain is at the heart of most forms of illegal activity. Cybercrime isn’t different. Staff pursuing easy money can break ranks and do the unauthorized. Your employee may be willing to sidestep policies and procedures to engage in unauthorized system activity or collaborate with external bad actors.
Could financial gain be so tempting? Cyberattackers may promise your employee a life-changing financial payout if they can disclose sensitive data. The employees may be struggling with piling debt. That leads them to latch onto anything that provides some escape from their financial trap.
Pro Tips:
- Organize financial planning workshops for staff to help them choose legitimate options that maximize their wealth
- Look out for employees showing signs of financial distress, like having a reputation for borrowing from colleagues
3. Ignorance
You’d imagine with improving computer/ technological literacy so would an average employee’s basic cybersecurity risk awareness. Reality is markedly different, though.
You may be surprised at how many employees don’t know what the right thing to do is. They don’t realize they need to use passwords, avoid connecting to public Wi-Fi, or refrain from saving confidential company information on their personal devices.
Staff members don’t understand how their everyday actions can place confidential company, employee, customer, and vendor data at risk.
Pro Tips:
- Establish a comprehensive employee cybersecurity awareness and training program
- Subject all employees to mandatory annual cybersecurity training
4. Convenience
Cybersecurity staff aren’t always the most popular people with the IT department or employees, in general. Often employees feel cybersecurity staff make it harder to roll out projects quickly and get things done fast. When your employees think controls are inhibiting their work, they’ll be more open to shortcuts.
Take the example of a bank where transactions need a manager’s authorization for final sign-off. The manager may feel tempted to share the credentials with a subordinate employee. That way, the manager doesn’t get called on each time a transaction needs finalizing.
Did you find the caveat? When the manager shares the credentials, they sacrifice data and system security for short-term convenience.
Pro Tip:
- Ensure employee cybersecurity training includes the risk associated with circumventing controls for short-term convenience
5. Internal Conflict
Research shows you’re at a higher risk of a road crash if you get behind the wheel when angry or upset. Emotional distress increases distraction risk. One study found you’re five times more likely to have an accident than a driver chatting on their phone.
Workplace conflict and rivalry competition create a similar risk. Your employees may be too focused on scoring points against a rival or feel constantly provoked by colleagues. That’ll result in employees crashing their employee cybersecurity car as they try shortcuts to beat their colleagues.
Pro Tips:
- Look out for friction between employees or departments
- Create channels for addressing any internal conflict quickly
6. Unconverged Security
Traditionally, physical and IT security were separate entities that functioned independently and only collaborated on a case-by-case basis. That said, the digital and internet revolution has rapidly narrowed the line between physical and virtual threats. That led many organizations to recognize the value behind converging physical and IT security functions.
When a company lacks such convergence, threats that straddle the boundary of physical and cyber risk may fall through the cracks. You’ll end up with a security breach and both teams dropping the blame on the other team.
Think about an intruder tailgating an employee into the data center through a card-controlled access door. The access door falls under physical security while an incident in the data center is in an IT security’s domain. Who’ll take the blame?
Pro Tips:
- Converge physical and IT security processes
- Foster closer and more strategic collaboration between the two as convergence doesn’t necessarily entail merging both functions
7. It’s an ‘IT Problem’
You’ve likely heard this multiple times before. It’s not just regular non-IT employees who say “it’s an IT problem”. Often, this is a culture that starts at the top i.e. the board and C-Suite. This perspective on cybersecurity disregards the fact that battling the cyber risks companies are facing needs a whole warrior fleet.
It’d take more than one department to shield a company from cybersecurity threats. Your IT security and/or IT departments can’t thwart every potential security loophole across the company. They can’t be everywhere, every time. If other departments see employee cybersecurity as an IT problem, you need to look out for the grave danger lurking around your data and systems.
Pro Tip:
- Make sure all employees understand their personal responsibility to protect corporate systems and data
8. Outdated or Inadequate Policies and Procedures
I can’t emphasize the need to routinely update cybersecurity policies and procedures enough. Controls and practices that were effective three years ago could be woefully inadequate today.
Think about it. Over the last three years, your company has likely procured new systems, extensively updated existing ones, eliminated certain roles and introduced new positions. Outdated policies and procedures don’t address this change in the threat landscape.
That’s why employees relying on these old policies and procedures are ill-equipped. They can’t take the necessary actions from the get-go to keep corporate systems and data safe.
Pro Tip:
- Develop a schedule for regularly reviewing and updating cybersecurity and all corporate policies and procedures
9. Recklessness
Cybersecurity attacks are sometimes successful due to an employee’s sheer recklessness. In this case, your employee understands what they need to do but willfully disregards it. They might believe no one will find out or their actions won’t harm the company’s systems and data.
Often carelessness grows on your employees as they get used to breaking rules without suffering any consequences. Employees adopt a negligent attitude as they begin to internally doubt the value of adhering to employee cybersecurity policies and procedures.
Pro Tips:
- Ensure deliberate disregard to policies and procedures attracts a strong response, including dismissal for repeat offenders
- Check that your organization’s cybersecurity training program delves into how security controls help protect corporate systems and data
Though these seem overwhelming to address, our pro tips would help you get started to mitigate the risks.
You Can Mitigate the Risk
Humans may be cybersecurity’s Achilles heel but that doesn’t mean you can’t mitigate their risks. You can benefit from the rapid proliferation in data loss prevention, behavior monitoring, and insider threat detection tools.
That said, such technical solutions are only as effective as the quality of non-technical controls you pair them with. These non-technical measures include setting the right tone at the top, conducting employee training and awareness, converging security functions, and updating procedures regularly.
Final Thoughts
Think about how the last malware or phishing attack on your organization occurred. An employee likely downloaded a suspicious attachment or responded to a rogue link they received via email.
Employee action or inaction is the trigger for many successful cyberattacks and data breaches. The causes range from sharing credentials and ignoring procedures to internal conflict and unconverged security. These breaches cumulatively cost organizations billions of dollars each year.
Business, IT, and cybersecurity leaders can’t afford to ignore the risk their staff potentially pose to corporate systems and data.
FAQ
What is spear phishing?
Spear phishing is phishing that’s highly targeted. Bad actors often pose as a known and trusted source to deceive a carefully selected victim to divulge sensitive information. It’s one of the most damaging employee cybersecurity attacks.
What are the major types of malware?
Malware comes in different flavors and depends on the exploit and attack vector used. Some of these include: viruses, worms, trojans, ransomware, adware, spyware, botnets, rootkits, and keyloggers. Many, like viruses, worms, and trojans will leverage injection attacks to bypass most security measures. Others use social engineering to help propagate the malware by bypassing security zones. Selecting the right attack vector will be vital to a cybercriminal’s success.
What is ransomware?
A form of malware that locks or encrypts a device, application, or data. The attacker then demands a ransom payment from the victim to restore access. Ransomware attackers are normally organized criminals with professional tools.
What was the largest ransomware payment made in 2021?
The insurance company CNA Financial paid attackers $40 million to regain access to its systems. In this scenario, CNA Financial couldn’t restore its system successfully. They had to pay to have the ransomware removed or bankrupt the company through losses.
Who is the C-Suite?
The term C-Suite represents senior executives in an organization. The C-Suite typically includes the CEO, COO, CFO, and CIO/CTO. This term helps differentiate them from middle and mid-upper management. IT professionals will likely need to get approval from the C-Suite for larger cybersecurity changes due to the financial cost, user workflow changes, and policies.
Resources
Employee Monitoring
Get to know if employee monitoring has become a reality here.
Monitor Remote Employees
Learn how to monitor your remote workers without invading their privacy.
Employee Leave Dangers
Look out for the cybersecurity dangers that happen when an employee goes on leave
TechGenix Health Verification Form
Protect your customers and employees from COVID-19 with our simple How to protect customers and employees: Simple health verification form.
Employee Monitoring
Consider the 5 reasons you should monitor employees – and 5 reasons why you shouldn’t.
