Employees often fall victim to phishing and social engineering attacks which result in compromised system access and data breach. It is reported by some industry estimates that employee errors cause data breach incidents in over 90 percent of cyber security attacks. The problem is even worse when considering that some of the victimized employees are super users with highly privileged system access.
One of the easy and cheapest ways hackers target companies and their systems is through phishing emails which appear to come from trusted sources such as company executives or IT support personnel instructing the employees to click a link which then prompts employees to enter their ID and password to complete the task. These compromised accounts and passwords are then used to steal data or to target other potential victims.
Many companies continue to focus their cyber security attention elsewhere neglecting employee education. “Hackers know that employees present vulnerabilities that seldom exist in fortified systems which they can easily and cost-effectively exploit to achieve their goals’ according to Henry Bagdasarian. This is why children are better targets than adults because they are easily fooled with fraudulent emails while they use the home computer which is shared by the entire family where tax returns and other documents with valuable information are stored. Imagine a child clicking on a link and following through subsequent instructions that result in installing a spyware on the home computer. Anyone who uses that computer afterwards to access bank accounts and other online accounts is subject to their password and account information being compromised.
One of the main principles of security management is identifying and categorizing risks. The risk of an employee being the target of a hacker attack is hardly taken as seriously as an attack on a company’s system and technology infrastructure when in fact employees pose the greatest risk that cost a lot less to remediate than system vulnerabilities. Most companies do an excellent job at securing their systems while failing to recognize and resolve the greatest risk facing their organizations which happens to the common root cause of most data breach incidents.
According to Bagdasarian “other human errors that lead to data breach cases include:
- account and password sharing,
- management override of controls,
- use of unchecked personal devices for business,
- lack of data loss prevention (DLP) controls,
- high number of exceptions to policies,
- hiring criminals due to lack background check,
- lack of system and user monitoring, and
- ignoring inactive, orphan, and excessive number of privileged accounts for a long period of time”.
Resolving Employee Error Risk
Assuming that employees are the greatest risk to organizations, one of the best actions that companies can take to minimize the risk is to assess the level of access each employee has and determine whether that access is needed and appropriate. Once employees with highly privileged access are identified, they must be targeted for increased cybersecurity awareness and education. To further minimize the risk, on-boarding and off-boarding practices must be assessed to ensure excessive access is never granted unnecessarily and departed employees are taken off systems immediately upon their departures. Once this is done, plan to start the process again soon and audit the systems periodically to ensure nothing falls through the cracks.