Why employees continue to be the Achilles Heel for security
Data breaches have become an ever-present threat, with the human element often being the weakest link in the security chain. The annual Apricorn survey of IT and security decision-makers revealed that 55% of organisations believe their employees have knowingly put corporate data at risk of a breach. To add to that, the top causes of data breaches over the past 12 months were phishing attacks (31%), unintentional insider data loss (30%), and ransomware (29%). These statistics underscore a troubling reality with employee actions frequently at the heart of security incidents, causing a significant erosion of trust in the workforce.
The Human Factor
Phishing attacks, unintentional data loss, and ransomware are prominent examples of how employee actions can compromise security. Phishing typically involves employees being deceived into revealing sensitive information and exploiting human vulnerabilities rather than technological weaknesses, highlighting the critical need for ongoing education and awareness.
Unintentional insider data loss often results from simple mistakes such as sending an email to the wrong recipient or mishandling confidential documents or devices. These errors, while not malicious, can have severe consequences for an organisation’s security posture.
Ransomware is yet another example where employee actions are pivotal. Employees inadvertently downloading malicious software can result in data exfiltration, significant disruption and financial loss.
Employee Trust
Given these statistics, it is unsurprising that trust in employees is waning. The survey indicates that 63% of decision-makers expect their remote workforce to cause a breach in the future. This scepticism is likely fuelled by the increasing prevalence of remote working arrangements which have expanded the attack surface for cybercriminals.
The rise of remote and hybrid working models has introduced new challenges. The Office for National Statistics reports that 51% of the UK workforce works from home at least part-time as of June 2024. While this shift has brought flexibility and convenience, it has also made it harder for organisations to monitor and enforce security policies.
Incident Reporting
Despite the challenges, there are positive developments in terms of incidents, with the survey finding that only 14% of breaches were reported to the Information Commissioner’s Office (ICO) by someone outside the company, a significant decrease from 32% during the previous year. This suggests that organisations are becoming more vigilant and proactive in managing breaches internally. Additionally, self-reporting has increased to 53%, up from 40%, indicating a growing recognition of the importance of transparency and accountability.
Policy and education
Businesses are recognising the need to change their approach to data security and strengthen their defence and response strategies. However, the persistence of employee error as the primary cause of breaches indicates that more work is needed. Addressing the insider threat requires a multifaceted approach that combines technology, policy, and education.
Corporate processes and policies aren’t always easy to implement and follow, and it’s impossible to secure against all lines of attack. Policies can be ignored, and advice disregarded, but with the right technology and education in place, businesses can persuade their employees of the value of both and reduce the potential impact and minimise the risks.
Such an approach is vital given that almost one-third (34%) of organisations admitted that they have no way of enforcing the relevant security strategy/policy that covers employees’ use of their own IT equipment for remote/mobile working. It is clear organisations have a long way to go and that IT departments must also dovetail security policies appropriate to the type of device and the information it contains to avoid needlessly constraining personal productivity.
Organisations must invest in comprehensive security awareness training. This training should be specifically tailored to address the challenges of remote work, providing employees with the knowledge and tools they need to navigate the digital landscape securely. Regular training sessions can reinforce the importance of following security protocols and help employees recognise and respond to potential threats.
In addition to training, organisations should consider implementing technical controls that minimise the risk of human error and should be consistent across all devices, including USB storage, smartphones, and laptops. Organisations need to research, identify and mandate a corporate-standard encrypted mobile storage device when operating outside of the corporate network. In addition, the use of the device should be enforced across the organisation through policies – such as locking down USB ports so they can accept only approved devices.
Cultivating a Culture of Security
Creating a culture of security is essential for addressing the insider threat. This involves fostering a sense of personal responsibility among employees and encouraging them to take an active role in protecting the organisation’s data. By promoting a security-first mindset and ensuring that employees feel supported and equipped to comply with security measures, organisations can build a more resilient security posture.
The key is to strike a balance between trust and vigilance. This can then ensure employees are both empowered and know they are accountable for protecting sensitive information, giving organisations a stronger chance of avoiding putting data at risk of a breach.