It wasn't that long ago that businesses' largest concern was having a decent lock on their doors to secure the premises. It's obvious that we've come a long way and so have bad actors. Fast forward a bit and many businesses invested in email security filters, firewalls, and anti-virus software. Yet, data shows that business security is never a one-and-done effort. There is not one fool-proof method and the rise in breaches continues to highlight the real risk; the insider threat.
I recently attended a local cybersecurity networking group and a debate broke out over what the definition of an "insider threat" really is. A couple of business leaders became agitated at the term. They argued that referring to their employees as "insider threats" would only bring down morale and increase turnover. The truth is, your employees are most definitely your insider threats. It doesn't mean that they are ill-intended or malicious. In fact, studies show that most insider attacks are a result of well-intended employees who made poor security decisions followed by catastrophic consequences for the company. MOST data breaches are caused by insider threats.
What is an Insider Threat?
Yes, it's true that insider threats can be malicious external actors that want to get inside your network and do harm. However, the term can also refer to contractors, business associates, and employees who may release information unknowingly. Anyone who has access to inside information about your company is an insider threat. Think about all of the information that could be used against you. Some of your valuable information includes your company's security practices, your organization's data, and personal information about anyone in your corporate network.
This is why business security cannot be left to security software and the IT team. Your entire enterprise, vendors, and business associates are responsible for your security. The friendly receptionist, the employees outside on a smoke break, the copier repairman, the sales manager who posts on social media every time he leaves the house; these are the people who may not realize the information they are leaking even when unintentional.
Moreover, what seems like harmless information can be compiled together to help an attacker have just enough details to craft a realistic phishing email. For example, imagine this scenario. You are having a conversation about how you've been helping your daughter apply to numerous scholarships over the past few months with the hopes that she could land something to help with college expenses. A nearby stranger hears this conversation and instantly knows how to craft the perfect phishing email to target you. The attacker already has your email because it's been breached previously and has purchased rights to the breached list on the black market. You receive an email that says that you have won a scholarship for $1,000.00. This email seems legitimate, I mean, after all, you do not remember every website you've visited during this process. You are provided with a link to claim your winnings. You are now asked to provide some more personal information to collect the award. You think, FINALLY, all this work has paid off! YOU HAVE BEEN PHISHED.
Where You May Have Dropped the Ball
- You are not testing your employees' security by phishing them.
- Every employee is not engaged in mandatory security awareness education.
- You are not being proactive by using social engineering exercises.
- You have not reviewed your policies to ensure they encompass cybersecurity including clear expectations for every employee.
- You don't have a system in place for practicing least privilege access. Audit your controls.
By now hopefully, you realize that there is no silver bullet when it comes to business security. Your company needs to address all aspects and have a well-rounded and complex solution for securing your assets. Your employees can be either your weakest link or your strongest shield of defense depending on their cybersecurity knowledge and behaviors. They must also recognize and take responsibility that securing your company is EVERYONE'S responsibility, not the job of a select few.
To learn how TechGuard can help you secure your organization and get employees in a security-first mindset, contact us today.