Data breaches, malware, and phishing attack stories show up in the news on a daily basis. Cybersecurity events have become so commonplace that most people don’t even blink when they hear another story about compromised credit cards or exposed medical records.
The frequency of these stories has numbed us to the cyber threats we face. But the biggest threat we face may not be what you think: The threat may be you.
There’s a misconception that the majority of cybersecurity events are caused by hackers. Hollywood has painted a picture of people in dark rooms – illuminated by a monitor’s glow – attacking corporations in an attempt to get their data. But that scenario isn’t the overwhelming risk that corporate America faces today. Instead, insider threats are more immediate.
An insider threat is this: A person who’s a risk to an organization because he or she has malicious intent, such as stealing corporate data to sell, or an individual who puts the organization at risk because of his or her misguided actions or mistakes.
Don’t think insider threats are that serious? Let’s look at some data:
- In 2016, according to IBM, 55% of cyberattacks were due to insider threats.
- The Ponemon Institute estimates that insider threats cost companies $144,542 per incident.
- 62% of employees admit that they have access to data they probably should not.
- One of the largest data breaches in U.S. history took place because employees fell victim to phishing scams.
So, what can be done to prevent insider threats?
Not every organization has the financial backing or manpower to institute a full-blown insider threat program, but organizations large and small can do the following things to address insider threat risk.
Does your organization have policies in place for handling data? How about policies on what staff can or can’t do on the internet or with corporate devices? Have you documented what a person should do if they accidentally fall victim to a phishing attack?
Chances are good that you document office hours, dress code, and hire/fire procedures – so why not procedures for cyber behavior?
It’s imperative that you identify the cyber risks and weaknesses in your organization and create policies to manage them. Without clear, documented policies, processes, and procedures, your staff won’t know how to consistently respond.
Education and Training
You have policies? Great! Does anyone in your organization know they exist? Has your team been trained on the policies? Having policies in place to “address a risk” is great – but, if your staff is unaware that these policies exist, why bother in the first place?
Establishing annual, mandatory cybersecurity training reinforces the need for secure behavior and informs employees of policy changes. Additionally, new employees or contractors should receive the training as part of onboarding.
While training may happen once a year, cybersecurity is a full-time priority. Create an awareness program that highlights key cybersecurity points you want to communicate, and distribute on a quarterly basis. Additionally, you may want to create a cybersecurity newsletter highlighting recent events – either internally or externally – and connect them with your quarterly awareness program.
There is no magic bullet to protecting yourself; however, a little effort in educating your workforce can make a significant impact. While we can throw money at hardware solutions to protect our networks, all it takes is the actions of one person within your organization to cause a data breach. If you have an uninformed, uneducated workforce when it comes to cybersecurity, it’s just a matter of time until your “insider threat” is revealed.
Want to learn more about cybersecurity? Contact Indarra, an NSCA Business Accelerator. We can help you secure your workforce to protect against data breaches. –Van Santos, Indarra Cyber Security