Your greatest cybersecurity threats come from within

Large-scale, sophisticated cyberattacks are constantly making the headlines – the latest of which were two powerful DDoS attacks levelled at the British Labour Party’s IT systems. The prominence of such attacks leads many businesses to invest heavily in robust cybersecurity protections to ward off cyberattacks – as they should. But there is another source of risk that organisations could be overlooking.

According to data secured by risk solutions provider Kroll, only 12% of data breaches in the UK come from malicious external attacks, while 88% are the result of human error from staff.

This includes mistakes such as sending data to the wrong recipient, losing paperwork, failing to redact sensitive information, and storing it in an unsecured location.

Any of these mistakes could leave data and systems vulnerable to exploitation by cybercriminals, no matter how good cybersecurity provision is. On top of this, they could also expose an organisation to hefty fines for violating regulations like GDPR – like BA, which has been forced to pay £182m this year following a data breach in which hackers stole customers’ financial details.

Humans themselves represent a goldmine for scammers and hackers. Verizon found that internal errors played a part in 21% of successful cyber-attacks. Meanwhile, Kaspersky Labs has reported that around 90% of corporate cybersecurity incidents involve social engineering attacks – which manipulate individuals in the business to (most often unknowingly) divulge sensitive information or otherwise break security protocols.

There is also the issue of malicious actions from insiders. Verizon notes that 34% of data breaches involved “internal actors”, and 15% involved misuse by authorised users.

From corporate espionage to simple employee complacency or gullibility, it is therefore clear that a business’ biggest threats stem from staff behaviour. So, while big cybersecurity measures such as firewalls and threat detection are important, it’s also crucial to work on the human side of cybersecurity in the business.

This is something that IT departments have been worried about for a while. A survey from Egress found that 95% of IT leaders see insider threats as a concern for their organisation, and 60% expect to suffer an accidental breach within the next year. According to the same report, IT staff and other employees cite the top reasons for these insider data breaches as:

• Employees rushing and making mistakes;
• Low awareness of the importance of correct security practices;
• A lack of training or sufficient tools.

So how can organisations adapt? Alongside correctly configuring systems to defend against these internal threats, it’s vital to have clear, strict security practices in place for everyone in the business, and train staff to be conscious of these. Cultural change is needed, and senior staff have a key role to play in this as the main trend-setters within the organisation.

Managers and executives must lead by example, making it clear that security is a high-priority issue which cannot fall by the wayside, especially during busy periods. They should also allocate time for training and awareness sessions, so staff have the skills, tools and understanding to keep business’ data safe.

Knowing that a cyberattack or breach is more likely to originate from within an organisation should prompt senior executives and their staff to think deeply about how they are engaging with data and systems.

No matter how sophisticated or expensive an organisation’s technical security services are, carelessness and misuse can render these measures useless. Cybersecurity is a continuous process, not a one-time fix, so it is vital to create comprehensive and lasting cultural change.

You can learn more about how to drive this change, and how to spot the weak points in your organisation’s cybersecurity chain, in our whitepaper: ‘Are you the weakest link?’