Did you know that a whopping 74% of cyber security breaches are caused by human error? That means more than two out of three of your employees are putting your business at risk of a cyber attack. Imagine the horror of discovering your company has paid a hacker instead of a legitimate vendor, all because an employee didn’t verify bank details or clicked on the wrong link.
In my extensive experience keeping businesses like yours safe, I’ve seen firsthand how employees create huge security gaps that cyber criminals are just itching to exploit.
Together, we’ll unpack why your employees are your biggest internal security risk and, more importantly, what measures you can take to tackle this threat. By the end of reading this article, you’ll have a clear game plan on how to turn your biggest risk (your employees) into your biggest strength.
–
Reading Time: 8 minutes
What This Blog Covers:
Why Employees Are Your Biggest Cyber Security Risk
As we have just seen, employees are the biggest cyber threat to the companies they work for. Mimecast attested to this in their State of Email and Collaboration Security (SOECS) 2024 report: over two-thirds of their respondents believed that their employees were putting their organisations at risk.
We’ll talk about how in a second, but I want to kick things off with a story – it’s a scary one and based on true events, so you may want to sleep with the light on tonight:
A customer (we’ll call him Sam) is booking a hotel room for an upcoming corporate event. This, of course, is happening over email, and while details are being ironed out, another person – masquerading as an accounts manager from the hotel – hops in the thread (we’ll call her Hailey).
Hailey sends Sam an email with a legit-looking invoice attached, kindly asking him to make a deposit. Like most of us, Sam gets about 256334 emails a day, so he doesn’t think anything of it. He doesn’t want to lose his reservation either, so he sends the invoice straight to Finance, and because he’s a big wig in the company, they waste no time in making the payment.
A few days go by, the event is around the corner, and Sam receives an email from the hotel reminding him to pay for his room. After picking his jaw up from the ground, Sam scrolls through his emails and finds two invoices from the hotel. They’re identical except for one thing: the bank details. Instead of paying the hotel, Sam’s company paid Hailey the Hacker (who is probably sipping margaritas on a beach somewhere).
Getting hacked isn’t always as obvious as being locked out of your devices and a creepy message demanding a massive ransom flashing across all of your screens. Cyber attacks are getting more sinister and evolving at lightning speed, and we have seen a dramatic increase in user impersonation.
Impersonating users can happen in two ways: someone could be sitting in a mail account at the hotel, watching invoice emails come and go. Or someone could be sitting in the director’s email environment and changing the details.
Regardless of which route the hacker takes, they are solely relying on one thing: an employee not knowing any better. This, my friends, is just one example of why human error is the biggest cyber threat to your business – let’s unpack more.
How Employees Unintentionally Put Your Business at Risk
When customers ask me why they should prioritise their employees as a major cyber security risk, I always start by saying this: people will click on anything. Secondly, most of us have terrible password hygiene (this, thankfully, has nothing to do with body odour, but creating the most basic passwords that might as well be tattooed on our foreheads). Lastly, with remote work being the new normal, more and more people are working on their devices or connecting to insecure networks. There are so many more reasons I could go into, but this is an article, not a book.
Problem One: Trigger Happy Clickers
Before you bring the hammer down on your organisation, just know that it’s not always out of malice: sometimes people are just incredibly busy. They see an email that looks like something they were expecting, they click on it, and it takes them somewhere bad – or they pay the wrong person, like poor Sam.
Hackers are masters at duplicating legitimate pages, so it’s all too easy to fall for their antics. For example, a page will look just like a typical Microsoft landing page, but if you don’t know what to look for in a URL, you’re in trouble. That’s where user awareness training comes in.
Solution: Targeted Threat Protection and Email Content Control
There are ways to get around random clickers. You can have Mimecast targeted threat protection, which stops fake URLs from being clicked on. Or it can “sandbox” it. Cisco Umbrella can also block URLs linked to dubious sites or newly created domains.
Mimecast CyberGraph flags when someone is added to an email thread or impersonates someone using a different email address. It’ll prompt the user to check before replying. You can also improve email content control by adding a banner on the email, advising the user to double-check before replying.
Problem Two: Weak Passwords and Unauthorised Websites
Weak passwords are another common vulnerability. If your password is easy enough to guess, then you should probably change it. But having a strong password is only half the story.
In my previous article, I spoke about how employees are notorious for going onto unauthorised websites that they use to transfer data and input their company details. This is another reason why password protection is so crucial: it’s more than just ensuring that it includes a bunch of special characters; you have to guard it like the life of the company depends on it (which it does).
Another client of mine (we’ll call him Frank) had an ironclad password but made the mistake of putting in his company username and password on an unauthorised hosting environment. Having fallen for her trap, Hailey had access to Frank’s corporate network through the hosting environment and put ransomware on all of their servers. The cost of hiring a third party to clean up the mess was a three-figure sum.
Paying a ransom (if you have it) is not exactly a solution. Even if you pay the hackers, they may republish the stolen data on the dark web for others to use. That’s why you have to have systems in place to check the dark web for credential hacking to ensure user information is secure.
Solution: Password Hygiene
To improve password hygiene, enforce a stringent password policy with alphanumeric special characters and two-factor authentication. Multi-factor authentication (MFA) might annoy users, but it adds an extra step to the login process.
Problem Three: BYOD (Bring Your Own Device) Risks
Employees using their own devices for work is risky business. Unless they’re tech geeks, their devices are guaranteed not to have the same security as company-issued ones. Shadow IT is almost inevitable because they’ll visit all kinds of sites (hopefully outside of working hours), and download sensitive company information onto their devices.
Pause here and ask yourself this question: should employees be able to access your company’s most valuable data on their devices? If so, why?
Overall, it’s more difficult to keep an eye on and manage personal devices compared to company ones (this isn’t Big Brother).
Solution: Data Loss Prevention (DLP) Policies
If employees use personal devices to access corporate information, you need to have policies in place to prevent them from downloading information to their devices. Data loss prevention (DLP) measures should control whether a user on a personal device can access your crown jewels.
Getting Employees to Follow Security Practices
At this point, it’s painfully clear that every single member of an organisation is responsible for keeping the business safe. But life gets in the way, to-do lists become never-ending, and emails seem to multiply by the minute. So, even after implementing watertight security policies, many employees don’t follow them and end up using shadow IT to get the job done as quickly as possible.
It bears repeating that keeping your business safe is not a one-time thing: your cyber security strategy needs to constantly be monitored – and that includes employee behaviour. Not to be dramatic, but if just one person in the organisation drops the cyber security ball, the whole business is at risk.
Controlling Human Error in Cyber Security
In a perfect world, cyber security wouldn’t be something you’d constantly need to stay on top of, but it is. It’s not just about spending money either: you need to ensure your cyber security solutions are as effective as the people using them.
It may all seem a bit doom and gloom, but the reality is that human error is the biggest cyber security risk. I didn’t write this article to scare you but to show you that while your biggest threat lies within your organisation, it’s a problem you can control.
I’ve shared insights from my years of experience helping businesses bolster their cyber security, with an anecdote or two that should help you learn from the mistakes of others.
Empower your people by investing in user awareness training, which should cover password hygiene, two-factor authentication, AI, and email use in a corporate environment. It all goes back to the saying: when you know better, you do better.