Data Breaches and the Human Factor: Are Employees the Best Defense or the Weakest Links?
While data breaches are usually caused by actors who deliberately attempt to break into a system with the use of malware and hacking, it’s still not entirely accurate to assume that all breaches are caused by outsider attacks. In fact, a Trend Micro survey that was carried out in March 2014 revealed that 19.8% of respondents experienced data breaches from internal systems.1
That still doesn’t mean that internal breaches are deliberate, and sometimes, breaches can be caused by employee negligence and common human error. A recent example of this is the incident that happened in June 2015, when an Australian grocer accidentally emailed the master spreadsheet of customer information and redeemable codes for approximately 8,000 gift cards to over 1,000 customers. Consequently, the email addresses and other customer information was exposed, and the retailer had to cancel over $1 million in gift cards.2 It's a perfect example of how negligence or human error can amount to financial loss, reputation loss, or both.
Human negligence—either by carelessness or a lack of knowledge—is why cybercriminals choose (and may even prefer) to resort to trickery. It simply makes it easier for them to infiltrate a system without having to use more sophisticated methods.
Given this information, it has to be asked: are employees the weakest links in an organization? In a lot of breach cases that either involved employee negligence and insider involvement, it would seem that they certainly are.3 And for cybercriminals, it looks like phishing for frontline information through an unwitting employee could be much simpler than hacking their way through established network defenses. Additionally, with increased forensic technologies such as intrusion detection and network monitoring, getting through a system becomes tougher for cybercriminals, causing them resort to one of the most basic, but still effective, tactics: social engineering.
This is the new battlefront, and organizations must balance between investing in security technology and committing to train employees according to the company’s best practices.
To err is human, to prevent is divine
They say that a company’s biggest asset is its employees. While this is true, it has also been established that employees can be its weakest link when it comes to security. While security should be largely the responsibility of the IT department, employees should still be the first line of defense. As such, employees need to be educated and trained in order for them to stay vigilant and defensive against potential security attacks.
Some employees are also lulled into thinking that just because they have security software installed, they're safe from threats. But a lot of people aren’t aware that despite having a security system, lax online behavior can still expose the network to threats. As mentioned above, many cybercriminals zero-in on this kind of mindset and use various social engineering tactics to obtain the information they need to infiltrate the system. Even the most basic scheme can be used to trick any user to open malicious attachments or click on bad links.
Here are some common mistakes employees make:
- Lax email habits – carelessly opening suspicious emails that contain malware frequently lead to the download of malicious files, or landing on websites that cybercriminals use to phish for information that they can use.
- Weak passwords – weak, short, and sometimes exposed passwords are commonly exploited by hackers and could be one of the easiest ways to break into a system. In addition, some employees tend to share their passwords with others.
- Falling for social engineering tactics – without prior knowledge or training, it could be difficult to avoid social engineering traps like social media scams, spam, and malware that ride on the popularity of big news and events, and others.
- Poor backup practices – failing to back up data increases the downtime and losses incurred when an organization gets attacked.
- Poor security habits outside work – unlike company-owned devices, employee devices are inherently insecure. They may have unpatched vulnerabilities—either on the device or the OS level that can be exploited.
- Connecting to unsecured Wi-Fi networks – connecting to open or public Wi-Fi networks can allow attackers to capture traffic off an open access point and execute attacks such as man-in-the-middle (MitM) attacks
It's hard to cure bad habits
–Raimund Genes, Trend Micro Chief Technology Officer
While this adage might be true, it doesn't have to stay that way. Companies need to address this problem by dedicating proper training for their employees. Trend Micro’s Chief Technology Officer, Raimund Genes, stressed that “We must not forget one other component of security: end users. Difficult as it is, end users should be educated to not fall for simple scams.” They could start by holding employees accountable for falling prey to scams and schemes. It’s important to remember that adhering to company policies is one thing, but developing good security habits is another. The latter could easily progress over time, given constant reminders and knowledge. Here are 5 security commandments that every employee should know:
- Be wary of email attachments – one of the quickest ways to get the attention of a user is through emails. Emails that contain subject lines regarding offers, notices, acknowledgements, or news must be verified prior to opening.
- Use unique and strong passwords – time and again, security experts have talked about using unique and strong passwords. Using weak passwords such as “password” or “1234” is like giving hackers the keys to your accounts. If possible, use a password manager and enable two-factor authentication when available.
- Do not daisy-chain accounts – avoid linking online accounts. Once an attacker gains access to one account, it’s could make it easy for them to obtain other accounts simply by working backward.
- Back up regularly – digital data is vulnerable to both threats and system failure. Backups can lessen the damage in case something happens.
- Secure all devices – whether it’s with the use of anti-theft apps and screen locks, beefing up built-in security settings, or installing security software, these methods should be applied accordingly as device loss or theft could endanger company data that may have been stored in the device.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases