At a time when ransomware attacks and sophisticated hackers are often seen as the greatest cyber threat to companies, a less-obvious source could be the real villain: your employees.
According to IBM’s 2016 Cyber Security Intelligence Index, insiders are responsible for 60 per cent of all cybersecurity attacks, with three-quarters involving malicious intent and one-quarter the result of accidents or oversights.
Alastair MacGibbon, head of the Australian Cyber Security Centre (ACSC) and National Cyber Security Adviser at the Department of Home Affairs, says all organisations should be conscious that insiders can be the weak point.
While the threat may come from disgruntled or malicious staff members, innocent employees are often the target of cybercriminals who dupe them into doing something they should not – opening a suspicious file which may contain malware, clicking on a dubious email or compromising passwords.
The ACSC, which combines capabilities across Defence, the Attorney-General’s Department, the Australian Security Intelligence Organisation, the Australian Federal Police and the Australian Criminal Intelligence Commission, advises a range of risk-mitigation strategies.
These include restricting the scope of activities an individual can carry out, locking down some platforms, and limiting the sorts of files employees can run on their computers. Other measures include access controls – only letting people have access to the systems and files they need to do their job and terminating IT access for employees who have left the organisation.
While Andrew Webster, head of security protection services at Westpac, agrees that cyber threats can be malicious or inadvertent – “both can cause damage to an organisation” – it is often simple actions from employees that can expose a company to risks.
Data can be easily compromised by leaving a USB stick with classified data in a bar or café, for instance, or allowing children to access a work laptop or smartphone at home – and, in an era when flexible work practices are actively encouraged, sending confidential work information over an open email platform such as Gmail, Yahoo or Hotmail is another commonplace risk.
“That working arrangement may seem great from an employee’s perspective, but what they’ve just done is send out confidential information via email to an untrusted source,” Webster says.
Too often, he suggests, an employee has risky habits due to being unaware, or just because they have been doing something the same way for a long time. “It comes down to a lack of awareness on that person’s behalf, because they’ve never seen any adverse consequences in the past,” he says.
The case of Equifax is glaring. The US consumer credit reporting agency exposed sensitive personal information of about 147 million people because a single employee failed to implement a software patch to address a system vulnerability. The incident is expected to cost Equifax hundreds of millions of dollars after factoring in costs to resolve government investigations and defend civil lawsuits.
But other dangers lurk.
Perhaps the most surprising aspect of the Nigerian Prince email scams that started in the 1990s is that so many people have fallen – and continue to fall – for the ruse; emails with poor spelling and grammar from a “West African noble” requesting $1000 or so in return for millions of dollars. What could go wrong?
In 2018, such phishing scams have evolved to the point that fraudulent business-related emails appear to be coming from trusted sources, leaving time-poor employees at risk, says Puneet Kukreja, national lead partner for financial services and data protection at Deloitte Australia.
“The volume of information we are consuming has risen dramatically,” Kukreja says. “So, if you combine societal pressure to be always connected via smartphones and to just click on a link with the increased sophistication of scam emails, it’s getting really hard to spot the scam.”
Disturbingly, Kukreja notes that when organisations run training exercises about malware, phishing and spear phishing, people end up clicking on dodgy links “nine times out of 10”.
Although ransomware makes up a relatively small proportion of cyber scams, it has recently dominated the headlines due to mass attacks such as CryptoLocker and WannaCry, which use malware that takes over computer systems and extorts money to unlock them.
Hackers often use fake emails to get unwitting victims to download the nasties. The lesson is to educate employees to be suspicious and to warn them that if correspondence looks dodgy, or too good to be true, it probably is.
Webster agrees that employee education and knowledge of proper processes can dramatically reduce cyber threats. So, dissuade employees from sending sensitive information over wi-fi networks unless it is safeguarded through a virtual private network (VPN). And remind them that it is a bad idea to open PowerPoint presentations on a bus, train or plane where others can be watching or take an image of it.
“People don’t treat their data as valuable,” Webster says. “You wouldn’t pull all of your money out while you’re on the bus and count it, yet people seem to think it’s okay to do that stuff online.”
While cybersecurity software systems can provide protection for businesses, choosing the right solutions to complement existing technology within an enterprise can be difficult, observes Deloitte’s Kukreja. He notes that at a recent security conference in San Francisco, about 5000 vendors were showcasing their products. “So it gets to a point where it is very hard to differentiate value,” he says.
His advice?
Do your homework and resist the temptation to constantly swap software systems just because another offering hits the market. At the same time, Kukreja says the security spotlight should always be on people.
“Nothing beats awareness and education, because the human being is the last endpoint,” Kukreja says. “You can have a lot of endpoint security, but if the human being is insecure and they do not have the knowledge then none of the technology will work. You have to give them knowledge, advice, guidance and training.”
Webster suggests three actionable steps to mitigate internal risks: focus on email protections, understand autopatching and “whitelisting” and get ready for remote browsing.
This is an edited version of an article that was first published on Westpac IQ.
{"topicSelector":[{"tagId":"newsroom:topics/economy","name":"economy","description":"Explore more Economy insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Economy","url":"/news/topic.economy/"},{"tagId":"newsroom:topics/banking","name":"banking","description":"Explore more Banking insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Banking","url":"/news/topic.banking/"},{"tagId":"newsroom:topics/digital","name":"digital","description":"Explore more Digital insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Digital","url":"/news/topic.digital/"},{"tagId":"newsroom:topics/diversity","name":"diversity","description":"Explore more Diversity insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Diversity","url":"/news/topic.diversity/"},{"tagId":"newsroom:topics/workplace","name":"workplace","description":"Explore more workplace insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Workplace","url":"/news/topic.workplace/"},{"tagId":"newsroom:topics/community","name":"community","description":"Explore more community insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Community","url":"/news/topic.community/"},{"tagId":"newsroom:topics/sustainability","name":"sustainability","description":"Explore more sustainability insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Sustainability","url":"/news/topic.sustainability/"},{"tagId":"newsroom:topics/technology","name":"technology","description":"Explore more Technology insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Technology","url":"/news/topic.technology/"},{"tagId":"newsroom:topics/property","name":"property","description":"Explore more Property insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Property","url":"/news/topic.property/"},{"tagId":"newsroom:topics/westpac","name":"westpac","description":"Stories featuring Westpac corporate news.","title":"Westpac","url":"/news/topic.westpac/"},{"tagId":"newsroom:topics/sme","name":"sme","description":"Explore more Small Medium Enterprise insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"SME","url":"/news/topic.sme/"},{"tagId":"newsroom:topics/innovators","name":"innovators","description":"Explore more Innovators insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Innovators","url":"/news/topic.innovators/"},{"tagId":"newsroom:topics/leadership","name":"leadership","description":"Explore more Leadership insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Leadership","url":"/news/topic.leadership/"},{"tagId":"newsroom:topics/covid19","name":"covid19","description":"Stories influenced by the COVID-19 pandemic.","title":"COVID-19","url":"/news/topic.covid19/"},{"tagId":"newsroom:topics/investing","name":"investing","description":"Explore more Innovators insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Investing","url":"/news/topic.investing/"},{"tagId":"newsroom:topics/startups","name":"startups","description":"Explore more Startups insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Startups","url":"/news/topic.startups/"},{"tagId":"newsroom:topics/personalfinance","name":"personalfinance","description":"Explore more insights about personal finance, financial literacy and financial wellbeing. ","title":"Personal finance","url":"/news/topic.personalfinance/"},{"tagId":"newsroom:topics/agribusiness","name":"agribusiness","description":"Explore more Agribusiness insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Agribusiness","url":"/news/topic.agribusiness/"},{"tagId":"newsroom:topics/billsbites","name":"billsbites","description":"Explore more insights from Bill Evans at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Bill\u0027s Bites","url":"/news/topic.billsbites/"},{"tagId":"newsroom:topics/data","name":"data","description":"Explore more data insights at Westpac Wire.","title":"Data","url":"/news/topic.data/"},{"tagId":"newsroom:topics/scams","name":"scams","description":"Stories about the latest cyber scams news and trends. ","title":"Scams","url":"/news/topic.scams/"},{"tagId":"newsroom:topics/environment","name":"environment","description":"Explore more Environment insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Environment","url":"/news/topic.environment/"},{"tagId":"newsroom:topics/payments","name":"payments","description":"Explore more Payments insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Payments","url":"/news/topic.payments/"},{"tagId":"newsroom:topics/fintech","name":"fintech","description":"Explore more Fintech insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Fintech","url":"/news/topic.fintech/"},{"tagId":"newsroom:topics/politics","name":"politics","description":"Explore more Politics insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Politics","url":"/news/topic.politics/"},{"tagId":"newsroom:topics/career","name":"career","description":"Stories providing career insights, tips and trends.","title":"Career","url":"/news/topic.career/"},{"tagId":"newsroom:topics/regulation","name":"regulation","description":"Explore more Regulation insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Regulation","url":"/news/topic.regulation/"},{"tagId":"newsroom:topics/indigenous","name":"indigenous","description":"Explore more indigenous insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Indigenous","url":"/news/topic.indigenous/"},{"tagId":"newsroom:topics/wellbeing","name":"wellbeing","description":"Stories featuring wellbeing trends, insights and stories.","title":"Wellbeing","url":"/news/topic.wellbeing/"},{"tagId":"newsroom:topics/superannuation","name":"superannuation","description":"Explore more Superannuation insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Superannuation","url":"/news/topic.superannuation/"},{"tagId":"newsroom:topics/westpac-scholars","name":"westpac-scholars","description":"Stories featuring Westpac Scholars. ","title":"Westpac Scholars","url":"/news/topic.westpac-scholars/"},{"tagId":"newsroom:topics/reinventure","name":"reinventure","description":"Explore more Reinventure insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Reinventure","url":"/news/topic.reinventure/"},{"tagId":"newsroom:topics/asia","name":"asia","description":"Explore more Asia insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Asia","url":"/news/topic.asia/"},{"tagId":"newsroom:topics/podcast","name":"podcast","description":"Explore Westpac Wire\u0027s podcast series.","title":"Podcast","url":"/news/topic.podcast/"},{"tagId":"newsroom:topics/history","name":"history","description":"Stories unearthed from Westpac\u0027s private archival collection. ","title":"History","url":"/news/topic.history/"},{"tagId":"newsroom:topics/businesses-of-tomorrow","name":"businesses-of-tomorrow","description":"Stories featuring Westpac Businesses of Tomorrow program winners. ","title":"Westpac Businesses of Tomorrow","url":"/news/topic.businesses-of-tomorrow/"},{"tagId":"newsroom:topics/tax","name":"tax","description":"Explore more tax insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Tax","url":"/news/topic.tax/"},{"tagId":"newsroom:topics/goodpair","name":"goodpair","description":"Explore more Good Pair stories, showing two people making a big difference together. ","title":"Good Pair","url":"/news/topic.goodpair/"},{"tagId":"newsroom:topics/opinion","name":"opinion","description":"Expert opinions and insights. ","title":"Opinion","url":"/news/topic.opinion/"},{"tagId":"newsroom:topics/deals","name":"deals","description":"Explore more Deals insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Deals","url":"/news/topic.deals/"},{"tagId":"newsroom:topics/veterans","name":"veterans","description":"Explore more insights about defence force veterans at Westpac Wire.","title":"Veterans","url":"/news/topic.veterans/"},{"tagId":"newsroom:topics/currencies","name":"currencies","description":"Stories providing currencies insights, tips and trends.","title":"Currencies","url":"/news/topic.currencies/"},{"tagId":"newsroom:topics/analysis","name":"analysis","description":"Expert analysis on economic news and other trends.","title":"Analysis","url":"/news/topic.analysis/"},{"tagId":"newsroom:topics/IWD","name":"IWD","description":"Stories focusing on International Women\u0027s Day, on 8 March annually. ","title":"IWD ","url":"/news/topic.IWD/"},{"tagId":"newsroom:topics/luciscall","name":"luciscall","description":"Explore more insights from Westpac\u0027s chief economist Luci Ellis at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Luci\u0027s Call","url":"/news/topic.luciscall/"},{"tagId":"newsroom:topics/rework","name":"rework","description":"Stories of businesses pivoting in the face of the COVID-19 pandemic.","title":"Rework","url":"/news/topic.rework/"},{"tagId":"newsroom:topics/10Qs","name":"10Qs","description":"\"10Qs with...\" is a series that asks leaders what makes them tick.","title":"10Qs","url":"/news/topic.10Qs/"},{"tagId":"newsroom:topics/commodities","name":"commodities","description":"Insights into commodities markets.","title":"Commodities","url":"/news/topic.commodities/"},{"tagId":"newsroom:topics/quarterlife","name":"quarterlife","description":"Explore more Quarter Life insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Quarter Life","url":"/news/topic.quarterlife/"},{"tagId":"newsroom:topics/shareholders","name":"shareholders","description":"Stories relevant to Westpac shareholders.","title":"Shareholders","url":"/news/topic.shareholders/"},{"tagId":"newsroom:topics/climate","name":"climate","description":"Explore more climate insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Climate ","url":"/news/topic.climate/"},{"tagId":"newsroom:topics/esg","name":"esg","description":"Explore more insights on environmental, social and governance issues at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"ESG","url":"/news/topic.esg/"},{"tagId":"newsroom:topics/boardwalk","name":"boardwalk","description":"A series of in-depth podcast interviews with board directors to find out what\u0027s on their minds. ","title":"Board Walk","url":"/news/topic.boardwalk/"}]}