While data breaches are usually caused by actors who deliberately attempt to break into a system with the use of malware and hacking, it’s still not entirely accurate to assume that all breaches are caused by outsider attacks. In fact, a Trend Micro survey that was carried out in March 2014 revealed that 19.8% of respondents experienced data breaches from internal systems.1
That still doesn’t mean that internal breaches are deliberate, and sometimes, breaches can be caused by employee negligence and common human error. A recent example of this is the incident that happened in June 2015, when an Australian grocer accidentally emailed the master spreadsheet of customer information and redeemable codes for approximately 8,000 gift cards to over 1,000 customers. Consequently, the email addresses and other customer information was exposed, and the retailer had to cancel over $1 million in gift cards.2 It's a perfect example of how negligence or human error can amount to financial loss, reputation loss, or both.
Human negligence—either by carelessness or a lack of knowledge—is why cybercriminals choose (and may even prefer) to resort to trickery. It simply makes it easier for them to infiltrate a system without having to use more sophisticated methods.
Given this information, it has to be asked: are employees the weakest links in an organization? In a lot of breach cases that either involved employee negligence and insider involvement, it would seem that they certainly are.3 And for cybercriminals, it looks like phishing for frontline information through an unwitting employee could be much simpler than hacking their way through established network defenses. Additionally, with increased forensic technologies such as intrusion detection and network monitoring, getting through a system becomes tougher for cybercriminals, causing them resort to one of the most basic, but still effective, tactics: social engineering.
This is the new battlefront, and organizations must balance between investing in security technology and committing to train employees according to the company’s best practices.
To err is human, to prevent is divine
They say that a company’s biggest asset is its employees. While this is true, it has also been established that employees can be its weakest link when it comes to security. While security should be largely the responsibility of the IT department, employees should still be the first line of defense. As such, employees need to be educated and trained in order for them to stay vigilant and defensive against potential security attacks.
Some employees are also lulled into thinking that just because they have security software installed, they're safe from threats. But a lot of people aren’t aware that despite having a security system, lax online behavior can still expose the network to threats. As mentioned above, many cybercriminals zero-in on this kind of mindset and use various social engineering tactics to obtain the information they need to infiltrate the system. Even the most basic scheme can be used to trick any user to open malicious attachments or click on bad links.
Here are some common mistakes employees make:
It's hard to cure bad habits
While this adage might be true, it doesn't have to stay that way. Companies need to address this problem by dedicating proper training for their employees. Trend Micro’s Chief Technology Officer, Raimund Genes, stressed that “We must not forget one other component of security: end users. Difficult as it is, end users should be educated to not fall for simple scams.” They could start by holding employees accountable for falling prey to scams and schemes. It’s important to remember that adhering to company policies is one thing, but developing good security habits is another. The latter could easily progress over time, given constant reminders and knowledge. Here are 5 security commandments that every employee should know:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.