How to stop your employees costing your company millions

Nicole Pauls, Director of Product Management, Security, SolarWinds

The biggest cyber-security threat to your business is the people within it. That’s right – the same employees whom you rely on for productivity and profits are also a major weakness when it comes to protecting your operations and information.

So-called “human error” is the basis for a whole school of cybercrime tactics like phishing, spoofing, and more. In fact, Australia’s share of global phishing attacks almost doubled in the past year, meaning almost one in four phishing attacks is now targeted at an Australian individual. These social engineering threats don’t rely on clever coding or sophisticated hacking methods – they find it far easier to prey on our common psychological behaviours instead. And even without a malicious actor involved, a careless employee or an overcomplicated procedure (the two often go hand in hand) can result in sensitive information leaking into the public domain.

We must ensure information security takes into account, or even prioritises, the human factor. A number of our customers have been able to avert potentially disastrous breaches by incorporating employees, contractors, and other “wetware” as variables when assessing threats and readiness levels. However, IT pros typically don’t have a whole lot of experience in behavioural psychology (apart from perhaps outmanoeuvring zombies in Doom or Left 4 Dead). When it comes to human security – and avoiding million-dollar breaches that no amount of tech can prevent – we need to go outside the profession while rethinking how we use our current tools.

Let our powers combine

The term “human error” implies a lack of malicious intent. In the vast majority of cases, that’s true. According to IBM’s latest global cybersecurity index, over 95 percent of infosec incidents recognise human error as a contributing factor. Even when it comes to social engineering tactics like phishing, the problems arise only when your employees are duped into clicking on a link or downloading an attachment. Your people may be clueless like Dogbert predicted, but they’re not out to get your business – and therein lies a major clue for how to address the threats they pose.

First and foremost is education. Employees need to know what they’re doing (or thinking) incorrectly, and how they can address this on an everyday level. As smart HR managers will advise, practical demonstrations work better than boring training sessions. One common trick that we see is presenting employees with a series of emails and asking them to figure out which messages are legit; this can go a long way to reducing people’s default overconfidence in their powers of perception. Incentives to do good are also typically more effective than punitive measures. Google’s famous “bug bounties” are a great example of how rewarding (in this case financially) infosec best-practice – and avoiding overconfidence in one’s defences – leads directly to more secure user experiences for everyone.

Apart from HR, IT can also partner with the parts of the business most affected by breaches – a Finance person detailing the costs of the last breach will hit home far more than a simple “don’t plug in USB sticks with pirated software”. IT policies can also support behavioural change through basic restrictions and encouragements (like rules for password complexity, or restrictions on leaky apps and websites). Your employees are far more likely to support these minor inconveniences once they understand the reasons behind them.

Second, IT and HR managers should start talking to executives about day-to-day processes in the business. Over-complex or convoluted routines are less likely to be adhered to, and the same goes for policies that cause friction with staff. For example, if a lot of your employees are using a public-cloud file storage tool like Dropbox (creating a “shadow IT” scenario), you might be better off adopting the platform as an official (and therefore centrally-managed) tool instead of trying to ban access. The IT manager’s goal is to retain as much visibility over the network and be able to step in when something goes wrong. Often, executives will support these sorts of recommendations – particularly when you illustrate the potential costs of simply letting the status quo shamble along.

Keep an eye on things

The third, and perhaps most useful thing IT pros can do is boost their monitoring capabilities. An organisation-wide network or monitoring platform allows you to mitigate the human factor by picking up signs of abnormal behaviour (such as opening ports or downloading from suspicious-looking sites). It also gives you a clearer picture of how your people are using apps and the network. That intelligence can then be used to inform how you educate individuals and shake up processes like we talked about earlier. Your HR colleagues will thank you for it.

Monitoring can also be combined with automated responses that take the human out of “human factor”. A number of email management platforms, for example, scan mail for not only viruses but phishing and malware patterns, remove the triggers for social engineering threats before they get anywhere near employees. Mobile device management software can not only wipe employees’ phones if they report them stolen, but also keep sensitive data in secure containers that have their own highly robust set of defences against breach.

Education and training may be the main defence against human error, but the skilful use of new and existing IT tools can help support employees as they take up arms against cyber-threats and our own natural tendency for complacency. Just like in any videogame, defeating social engineers, careless employees and other infosec enemies requires you to understand their behaviours first. It may not be satisfying as fighting zombies, and it may take a lot longer, but the payoff is definitely worth it.

Join the CSO newsletter!

Error: Please check your email address.

Tags Dogbertemployeescybercrime tacticsITmillion-dollar breachesmillionsHRcyber-security threatCSO Australiazombies in Doomcost

More about DropboxGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nicole Pauls

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place