Employees: Part of the Attack Surface
Employees pose a huge risk to an organization. For years, the Verizon Data Breach Investigations Report (DBIR) has listed employees or insiders as a top threat.
It appears that leadership is finally starting to pay attention to this threat. According to a new study from security compliance firm Egress, 61% of CIOs believe that employees are maliciously putting the organization at risk. Employees, on the other hand, don’t necessarily agree with their CIOs, with the same study reporting that more than 90% said they didn’t break any data-sharing policies, either accidentally or intentionally in the past 12 months. This study also showed there is a real disconnect between leadership and employees over who has ownership over the data—29% of employees think that if they work on the data, they have ownership.
Perhaps it is, in part, this conflict of data ownership that leads to insider threats. One thing is certain, however: Employees make up your organization’s biggest attack vector, and security leadership is struggling to address the problem.
Employee Attack Likelihood
Giora Omer, head of security architecture at Panorays, looked at the employee attack likelihood and how human behaviors can lead to a cyber incident.
“Each employee in a company can be a target for a cyberattack,” explained Omer. “The likelihood an employee will be targeted can change based on different factors, such as the role of the employee, their digital footprint, security awareness, etc. It is important for a company to know which employees are more likely to be targeted so they can employ precise measures to mitigate their risk.”
Bad Behavior
We know cybercriminals use social engineering tactics to manipulate human behavior to do bad things. Employees will open an attachment on a phishing email not because they don’t know better but because they are distracted with other things and aren’t paying close enough attention. As humans, we can also be too trusting and don’t do due diligence to make sure whatever it is we’re clicking on is legitimate.
We’re also very lazy when it comes to basic cybersecurity practices. After a major data breach or other cyber incident, we express outrage at a company’s lax cybersecurity system, and then we do absolutely nothing to protect ourselves, such as change passwords or turn on multi-factor authentication methods. If we’re that bad in our personal online behaviors, we aren’t going to ramp up our security best practices for work. And the bad guys know that. It’s why they target humans.
“We are so overwhelmed with what we have to do, we don’t protect what is most important. Hackers are going after the part of our brain that is on auto-response. The first defense is to be skeptical,” said cybersecurity speaker John Sileo in an article in the Colorado Springs Gazette.
However, despite knowing their employees are a risk, organizations do little to factor in the human element into their security programs.
“Even though human-based attacks like social engineering and phishing are well-known, security rating services overlook the human element when building the cyber posture rating,” said Omer. So, a company may look good on paper because they have all the right technologies in place to anticipate and mitigate cyberattacks, but that means nothing if they aren’t addressing human behavior.
Humans as Attack Surface
Another overlooked risk of employees is how they expand the attack surface. There’s lots of talk about how the digital transformation and the rise of mobile and IoT have added thousands of endpoints to companies. That has expanded the attack surface, giving hackers more space to work with and giving them greater opportunities to get into the organization.
But we need to consider the attack surface goes beyond digital assets, said Omer. The attack surface also needs to include human assets—employees, their social profiles and their online behaviors. They are a gateway to the network and the data. And even though leadership know there is employee risk, they may not be truly aware of the threat they pose.
What can organizations do to be more aware of employee risk?
“The first thing organizations should do is map their cyber posture, and this means employee risk as well,” said Omer. “The organization needs to be aware of where it stands compared to its industry, and what are the major cyber gaps concerning their employees. After that, they can create an operative mitigation plan with actions such as multi-factor authentication and audit controls.”
But if you also want to decrease employee risk, you need to focus on behavior. If your employees think they own the data they work with, then they need to treat that data as they would their own. As Sileo said, “We will change our behavior when we begin to understand the threat and take it personally. It is our responsibility in business to proactively protect what we value most and protect it as your own. Otherwise, we will continue to be hacked and threatened.”
