Are employees the weakest link in the company’s cybersecurity?
According to many researchers, the weakest link in cybersecurity of a company it the occupant of the space between the chair and keyboard. It seems that the phishing attacks are actually on the uptick, so the employees are a bigger security weakness than any type of technological vulnerability.
As a rule, it is human nature for effective employees throughout an organization to look for the easiest solution, the best workaround. They value convenience, and this can fly directly in the face of embracing the best security practices. They often are well-positioned to carry out nefarious activities.
The main threat comes from employees having access to valuable or sensitive data, combined with the often unavoidable fallibility of human error. Access to IT systems is essential for many of the employees to be able to do their jobs, and then managing that very access is key to guarding against insider threats. It is the very place where many organizations fall short.
Cybercriminals often seek the weakness among employees, because finding a vulnerability in a person can take minutes, on the contrary to finding vulnerabilities in software, which can take weeks. It is a path of least resistance.
Until recent years, the perspective in enterprise IT security has largely been that breaches are primarily a technological concern that should be solved with various filters and updates and shiny new security software. But actually, it is a combination of technology and people. However, what gives hope is that attitudes are changing because there is a rapidly rising number of large or small companies that are managing more consistent security policies and are training employees to understand what to do, day-to-day, and what to look for.
Most human errors are innocent. An employee absentmindedly opens a legitimate-looking attachment, or an eager-to-please human resources employee releases confidential personal information while responding to an email that appears to belong to a top executive. A wrong click on an email or accessing company files on personal devices can easily lead to a breach, after all, it is usually the weakest point hackers target.
As organizations seek to create more dynamic and efficient environments, embracing remote access through an assortment of mobile devices and cloud support, the very concept of having a ‘perimeter’ for the network becomes fuzzy. Today’s level of flexibility and access brings with it an opportunity for the employee to contribute much more than they have in the past, but with it also comes dangers.
Many employees seem not even aware that their credentials are the number one target of the hackers, and how even clicking on a bad link or downloading an infected attachment can be the opening shot in putting the entire corporate network into a compromising situation.
It is usually the most basic mistakes that appear to be the biggest: an employee finds an unused USB stick laying on the floor, and inserts it or uses passwords that are too easy to guess. Many people do not even consider their behavior insecure or risky, they simply see them as shortcuts or a means to encourage or allow for teamwork. Many of the employees even admit that they often leave their work computer unlocked when they are not there.
One might assume the up-and-coming generation of employees entering the workforce – those who have grown up with the internet and mobile phones, and have always been aware of the lurking cyber-crime specter would just naturally come to work with better security hygiene.
But according to the reports, that’s sadly not the case: a full 87 percent of people aged 18 to 25 admitted to reusing the same passwords, with almost half of them doing so across personal and work accounts. Almost one-third of these respondents also have said they have installed software on their business devices or networks without authorization from their IT department.
Because even the most well-intentioned employees are still fallible, the organization still needs to do their part to beat back the rising tide of attempted compromise. Security awareness training is a critical, foundational, and still-too-often under-utilized tool that enterprises can and should enlist. Humans are human, and they will make mistakes. Training programs must evolve.
A good bite-size, accessible training – online as well as in-person – that will cover a broad expanse of possible issues and try to connect with employees in a way that is meaningful to them is needed. Also, role-based access provisioning is one of the best ways to control system access to ensure that an employee only has access to the specific systems needed to fulfill their job responsibilities.
The final verdict should be that considering that data is a company’s currency and as applications are deployed, the question of who has access to that data must be answered and verified. Organizations must have complete consistency of security policy enforcement across environments – even close to 100 percent consistency as possible, with a very defined plan outlining how to handle the risks created by any gaps.