Ask the average person on the street what the biggest threat is to enterprise security, and they’ll develop a long list of foreign hackers, corporate espionage, and all types of James Bond-type scenarios. Ask a security professional the same question and you’ll get a much simpler answer: People. Namely, employees. That’s right, the “human factor” trumps all other security risks that enterprises face. Many of the security breaches we read about in the headlines have some sort of human element involved, whether that be falling for a simple social engineering ploy and unknowingly granting access to a hacker or something more devious devised by a disgruntled employee.
According to the Identify Theft Resource Center, in 2016 U.S. companies and government agencies suffered more than 1,000 breaches, a 40 percent increase from 2015, hitting an all-time record high! In 2016, hacking incidents reached an all time high—nearly 55.5 percent of all breaches—an increase of 17.7 percent over 2015. Breaches involving email exposure of information at 9.2 percent followed by employee error/negligence category at 8.7 percent. While certain types of data breaches are in general decline as a proportion of the total, data loss from hacking and phishing are growing rapidly.
According to a recent Data Breach Digest report from Verizon, social engineering attacks are so successful because threat actors know that humans are the weakest link in any information security strategy. They prey on people’s natural curiosity, fears, pride and other factors of the human psyche to gain access to sensitive data. This usually involves something as simple as clicking a link or opening an attachment within an email that appears to come from a trusted source. The Verizon report shows how simple this can be:
- An employee getting a congratulatory email purportedly from the company’s CIO for a job well done: “Click here for your achievement award.” Result: Attempted wire transfers totaling more than $5 million.
- A chief engineer looking for a job on company time gets an email from a recruiter with promising job opportunities: “Current openings are in the attached file.” Result: Stolen plans used by a competitor to enter the market more quickly.
Think your employees are too smart for this? Think again. Employees aren’t dumb—they’ve been warned about the dangers of clicking links and opening attachment for years. Many laugh over the water cooler about the emails from banks in foreign countries declaring they’ve inherited $20 million from a deceased relative, or the bogus emails from PayPal or Apple that just want to “confirm” their account. But hackers have become increasingly astute at understanding what motivates humans to take an action and are creating clever ways to take advantage of that. These types of targets can be general, such as gaining access to all of a healthcare company’s records, or they can be specific, such as gaining access to plans for a company’s new product, as described above.
Unfortunately, even though employees are aware that these schemes exist, it’s not changing their behavior—or the behavior of enterprises as a whole to provide better training. According to a recent report from Osterman Research, “employees need to be constantly sensitized and trained through security awareness programs in order to be extra vigilant regarding their actions.” The report cites alarming statistics from recent survey of respondents that are involved in managing security capabilities for their midsize or large organization. In that survey, only 31 percent of respondents considered “measuring the security readiness of our employees” a method used significantly or extensively to measure the effectiveness of their information security spend. This is compared with 49 percent who put a high priority on measuring for compliance with regulatory obligations.
The study also showed a significant gap between the importance of preventing data breaches between senior-level employees and middle management and “average” workers. While, 77 percent of respondents felt their organization was very well or reasonably well prepared to deal with the consequences of a significant data breach, the priority given to preventing data breaches varied significantly according to role within an organization. For example, 71 percent of senior IT management placed a high priority on preventing a breach, while only 21 percent of “average” employees did. Line of business middle management (43 percent) and C-level line of business management (55 percent) were also alarmingly low in terms of placing a high priority on preventing data breaches.
The bottom line: Enterprise security may be a high priority for senior level management, but that urgency is not trickling down to the employees who are putting the enterprise’s sensitive data—whatever form it takes—at risk. When security is a simple checkbox, the blame falls on the enterprise when human mistakes are made. Removing them from the equation as much as possible by using technology that prevents them from making simple “human” mistakes is critical to the security of the enterprise going forward.
If you would like to find out how to ensure your sensitive information is protected from the “people” factor, the content listed below may be of interest:
By Greg Aligiannis, Senior Director Security, Echoworx