Most small businesses are at least vaguely familiar with external threats – such as ransomware, baiting, and denial of service attacks. However, they seldom have the same awareness of the insider threats their organizations face. When they do, they typically associate insider threats with disgruntled ex-employees seeking revenge. It turns out that unintentional insider threats account for around 25 percent of data breaches.
You could, of course, choose to ignore the problem because you have faith in your employees’ ability to recognize and avoid common cyber threats, but that could be a very costly decision.
Instead of simply hoping your employees won’t unintentionally put your company at risk, consider becoming familiar with the riskiest behaviors most employees engage in daily and then strengthen your defenses.
Unintentional Insider Threats
1. Falling Victim to Phishing Attacks
Despite its simple premise, phishing and other social engineering attacks are today’s biggest cyber threats. According to Avanan’s phishing statistics, every employee is, on average, targeted by nearly five phishing emails during a five-day workweek, and it takes just one wrong decision for attackers to achieve their shameful goal.
Protection against phishing attacks can start with effective email filtering, but it mustn’t end there. Why? Because email filtering can create a false sense of security and make employees feel that every email message they receive can be trusted.
Employees must also be trained to recognize the telltale signs of phishing scams with security awareness training.
Learn how to implement an engaging and successful cybersecurity awareness training program.
2. Unsafe Web Browsing
If the web were an ocean, it would be full of hungry sharks, poisonous jellyfish, and pirates with automatic rifles. The problem is that many employees regularly swim in this ocean with the same relaxed attitude as if swimming in their backyard pool, downloading potentially infected files, visiting websites with inappropriate content, and posting personal information on social media.
To discourage the insider threat of unsafe web browsing, you must create an internet usage policy. An internet usage policy provides employees with rules and guidelines about what is deemed appropriate for internet browsing behavior in the workplace.
You should also consider using employee monitoring software to detect unsafe web browsing before a costly cybersecurity incident occurs.
3. Ignoring Password Best Practices
It’s no wonder that employees often ignore or are unaware of password best practices. After all, regular password changes and complex password strength requirements were the norms not that long ago.
However, that doesn’t change anything about the fact that frequent password reuse or unsecured password sharing and storage are real problems that affect countless organizations yearly because they make it easy for cybercriminals to access protected systems and data.
Employees should be regularly reminded of password best practices through security awareness training, but they also need to be equipped with tools that make it easier for them to create and use strong passwords. More specifically, they should have access to a secure password manager capable of generating uncrackable passwords and keeping them locked in an encrypted vault until needed.
4. Not Installing System and Application Updates
It may surprise you to learn that unpatched vulnerabilities cause 60 percent of all breaches. The number will likely increase as more organizations embrace remote and hybrid work. Remote employees often use a mix of personal and work devices, many of which may be entirely invisible to IT departments. Such devices are attractive targets because employees often neglect to install available updates, making them vulnerable to hacking attempts.
Since unpatched devices and software applications go hand in hand with the proliferation of shadow IT, the use of information technology systems, devices, software, applications, and services without explicit IT department approval is where you should focus your attention first.
From there, you can implement a patch management policy and use automated patch management tools.
5. Storing and Transferring Data in an Unsecure Manner
Sensitive data must be stored securely – that’s clear. What’s not so obvious is that employees and cybersecurity professionals don’t always have the same level of security in mind.
For example, an employee may think that it’s perfectly fine to store work-related files in a personal cloud as long as the files are protected by two-factor authentication. Or a team may see nothing wrong with using their instant messaging service of choice to share sensitive documents because the service uses robust encryption.
Such well-intended actions often have grave consequences because employees sometimes overestimate their ability to keep cyber threats at bay or are not fully aware of them in the first place.
Employees should be reminded to use only approved storage and data transfer solutions. It’s also a good idea to teach employees how to encrypt individual files and entire storage devices and computers so they can take their data security to the next level.
Prevent Your Employees from Putting Your Company at Risk
It wouldn’t be an exaggeration to say that the most significant danger lies inside your organization – the unintentional insider threat. To defend against it, familiarize yourself with the most common ways well-meaning employees sometimes cause expensive data breaches and mitigate the risks accordingly.