How Your Employees are Your Biggest Cyber Security Risk

It doesn’t matter how much you spend on firewalls, anti-virus software or other proven IT security technologies if it can all be compromised by a single employee’s mistake or malice.

Indeed, that’s exactly what happened when the names, addresses, emails (and even Social Security Number-equivalents) of more than 100 Equifax employees were protected by nothing more than a weak username and password: “admin” (CNBC).

Firstly, small and medium-sized businesses (SMB) aren’t immune to cyber attacks; on the contrary, TechRepublic states, “negligent employees are the no. 1 cause of data breaches at small and medium-sized businesses across North America and the UK.”  

Secondly, cyber attacks are incredibly costly for SMBs. According to a 2018 study by Cisco, 54% of the SMBs surveyed said that cyber attacks had cost each of them, on average, over $500,000 in “lost revenue, customers, opportunities, and out-of-pocket costs.”

Costs of this magnitude are catastrophic for most SMBs, yet it can only take one employee’s mistake or oversight to trigger those losses and cause lasting damage to your business.

System downtime following a severe breach

Source: Cisco

Cyber Security Breaches Caused by Employees

Employees manifest in two forms of cyber risks:

1. Human Error

Whether it is a lack of seriousness, training or both, poor employee decisions — such as using weak passwords, sharing passwords with friends and family, not taking care of their devices or others — are critical cyber security risks.

2. Insider Attacks

SMBs also face the risk of malicious insiders who are actively seeking and exploiting gaps in IT as a means to steal money and information and/or cause damage.

While the outcome in the very end is similar (such as a data breach), they occur as a result of different causes, each requiring its own cyber security solutions.

Learn More:

• How Your Employees are Your Biggest Cyber Security Risk
• What is Cyber Security Training and How Does It Improve IT Security?

Human Error Data Breach

Regarding the human error, the problem squarely rests on the training, awareness and sensibilities of your employees.

For example, your employees are a major risk-factor when they are unable to spot a potential phishing attack, such as mistaking a false login portal to their bank and logging into it.

Similarly, they might fall for a spear phishing attack by sending over private information to the attacker (who’s masquerading as a supplier, client or manager).

Without training on how to recognize a false email address — coupled with policies prohibiting staff from downloading email attachments — your employees could trigger ransomware attacks on your business and, as a result, lock you out of your computers and freeze your operations.

Training is the primary method of dealing with these vulnerabilities. In fact, with training and education, you can improve your cyber security stature relatively quickly and affordably.

Insider Threats in Cyber Security

Where human error could be remedied with training and education, insider threats are a result of malice combined with weaknesses in your IT policies and access controls.

Insider threats often exploit situations where data and applications are accessible to too many company staff members. This is where there aren’t any access controls to restrict certain apps and/or data to only a few vetted employees.

They can also succeed in environments that allow direct logins without multifactor authentication (MFA) or where staff can email or save files to USBs without data loss protection (DLP).