Biggest cyber challenge? Your staff

At a time when ransomware attacks and sophisticated hackers are often seen as the greatest cyber threat to companies, a less-obvious source could be the real villain: your employees.

According to IBM’s 2016 Cyber Security Intelligence Index, insiders are responsible for 60 per cent of all cybersecurity attacks, with three-quarters involving malicious intent and one-quarter the result of accidents or oversights.

Alastair MacGibbon, head of the Australian Cyber Security Centre (ACSC) and National Cyber Security Adviser at the Department of Home Affairs, says all organisations should be conscious that insiders can be the weak point.

While the threat may come from disgruntled or malicious staff members, innocent employees are often the target of cybercriminals who dupe them into doing something they should not – opening a suspicious file which may contain malware, clicking on a dubious email or compromising passwords. 

The ACSC, which combines capabilities across Defence, the Attorney-General’s Department, the Australian Security Intelligence Organisation, the Australian Federal Police and the Australian Criminal Intelligence Commission, advises a range of risk-mitigation strategies.

These include restricting the scope of activities an individual can carry out, locking down some platforms, and limiting the sorts of files employees can run on their computers. Other measures include access controls – only letting people have access to the systems and files they need to do their job and terminating IT access for employees who have left the organisation.

While Andrew Webster, head of security protection services at Westpac, agrees that cyber threats can be malicious or inadvertent – “both can cause damage to an organisation” – it is often simple actions from employees that can expose a company to risks.

Data can be easily compromised by leaving a USB stick with classified data in a bar or café, for instance, or allowing children to access a work laptop or smartphone at home – and, in an era when flexible work practices are actively encouraged, sending confidential work information over an open email platform such as Gmail, Yahoo or Hotmail is another commonplace risk.
 

“That working arrangement may seem great from an employee’s perspective, but what they’ve just done is send out confidential information via email to an untrusted source,” Webster says.

Too often, he suggests, an employee has risky habits due to being unaware, or just because they have been doing something the same way for a long time. “It comes down to a lack of awareness on that person’s behalf, because they’ve never seen any adverse consequences in the past,” he says. 

The case of Equifax is glaring. The US consumer credit reporting agency exposed sensitive personal information of about 147 million people because a single employee failed to implement a software patch to address a system vulnerability. The incident is expected to cost Equifax hundreds of millions of dollars after factoring in costs to resolve government investigations and defend civil lawsuits.

But other dangers lurk. 

Perhaps the most surprising aspect of the Nigerian Prince email scams that started in the 1990s is that so many people have fallen – and continue to fall – for the ruse; emails with poor spelling and grammar from a “West African noble” requesting $1000 or so in return for millions of dollars. What could go wrong?

In 2018, such phishing scams have evolved to the point that fraudulent business-related emails appear to be coming from trusted sources, leaving time-poor employees at risk, says Puneet Kukreja, national lead partner for financial services and data protection at Deloitte Australia.

“The volume of information we are consuming has risen dramatically,” Kukreja says. “So, if you combine societal pressure to be always connected via smartphones and to just click on a link with the increased sophistication of scam emails, it’s getting really hard to spot the scam.” 

Disturbingly, Kukreja notes that when organisations run training exercises about malware, phishing and spear phishing, people end up clicking on dodgy links “nine times out of 10”.
 

Although ransomware makes up a relatively small proportion of cyber scams, it has recently dominated the headlines due to mass attacks such as CryptoLocker and WannaCry, which use malware that takes over computer systems and extorts money to unlock them.

Hackers often use fake emails to get unwitting victims to download the nasties. The lesson is to educate employees to be suspicious and to warn them that if correspondence looks dodgy, or too good to be true, it probably is.

Webster agrees that employee education and knowledge of proper processes can dramatically reduce cyber threats. So, dissuade employees from sending sensitive information over wi-fi networks unless it is safeguarded through a virtual private network (VPN). And remind them that it is a bad idea to open PowerPoint presentations on a bus, train or plane where others can be watching or take an image of it.

“People don’t treat their data as valuable,” Webster says. “You wouldn’t pull all of your money out while you’re on the bus and count it, yet people seem to think it’s okay to do that stuff online.”

While cybersecurity software systems can provide protection for businesses, choosing the right solutions to complement existing technology within an enterprise can be difficult, observes Deloitte’s Kukreja. He notes that at a recent security conference in San Francisco, about 5000 vendors were showcasing their products. “So it gets to a point where it is very hard to differentiate value,” he says. 

His advice?

Do your homework and resist the temptation to constantly swap software systems just because another offering hits the market. At the same time, Kukreja says the security spotlight should always be on people.

“Nothing beats awareness and education, because the human being is the last endpoint,” Kukreja says. “You can have a lot of endpoint security, but if the human being is insecure and they do not have the knowledge then none of the technology will work. You have to give them knowledge, advice, guidance and training.”

Webster suggests three actionable steps to mitigate internal risks: focus on email protections, understand autopatching and “whitelisting” and get ready for remote browsing. 

_{This is an edited version of an article that was first published on Westpac IQ.}