Cybercrime is a problem that affects everyone. It doesn’t matter how big or small the company may be, it is at risk of breach, fraud, hack, and theft. The statistics around the costs of cybercrime are plentiful, as are those that highlight the percentage growth of the market and the impact on company reputation and future. However, what few organisations realise is that it’s the employees who present the biggest risk. In fact, research undertaken by Willis Towers Watson in the UK found that employee negligence or malfeasance was responsible for 66% of cyber breaches and that 90% of the cyberattack insurance claims that the company processed were down to human error.
“People have become the weakest link in the cybersecurity chain,” says Karien Bornheim, Chief Executive Officer at Footprint Africa Business Solutions (FABS). “Organisations tend to focus on the technological aspects of the security paradigm and often miss the risk that people present inadvertently. It’s the employees bringing in unprotected devices, downloading unauthorised applications, clicking on that ransomware link or falling for phishing scams that introduce the cybercriminal to the organisation. Sometimes the employees are the threat themselves, deliberately using cybercrime tools to gain illicit access to company data.”
Fortunately, organisations can mitigate the security threat posed by the employee through regular user awarenss training and robust policies. These not only ensure that employees are aware of the threat, but that they understand why certain rules are in place and how their behaviour can impact the organisation. Often, when individuals know why the rules are in place, they are more likely to adhere to them.
“There are numerous company policies, industry regulations, governance requirements and legislative concerns that have to be shared with all employees,” says Bornheim. “These need to be embedded into regular employee awareness training sessions that also explain why these regulations are important and what happens if they are ignored. The full weight of how the company will be affected, how their jobs can be affected, and the damage it can do, must be conveyed to employees. An automated process with management reports becomes critical to ensure that this training is a regular and sutainable event. ”
To that end, there are essential security skills that every employee of every organisation should have, and here are the four most critical.
01: Protection of personal property It’s easy for someone to leave their mobile phone on the table, have their laptop stolen, or forget to put things in a safe place. It’s equally easy for those items to fall into the hands of cybercriminals intent on gaining access to not only the data on the devices but also other information that could potentially allow them back door access into the company. The business must repeat and reiterate the importance of protecting property and, of course, ensure that employees use robust passwords and other multi factor authentication just in case that property is lost or stolen.
02: The basic security skillset It may seem surprising that there are still people who write their passwords into a booklet they carry around with them. Or that individuals still use passwords such as 1234 or the name of their dog or child’s birthday. Or the password is attached to the computer with a sticky note. Unfortunately, these practices are more common than most companies realise. A survey by the UK National Cyber Security Centre (NCSC) found that the most used password was ‘123456’ - a password in use by around 23.2 million accounts. This is also the password that the NCSC found was the most hacked in 2018. This was closely followed by QWERTY, password, 111111, and 12345678.
“Employees must understand why complex passwords with multi factor authentication are critical to ensure business security,” says Bornheim. “There should be a comprehensive audit of employee passwords and clear guidelines on how to create and store them.”
03: Security savvy insights Another part of the basic security skillset is the ability to tell the difference between a secure website, a fake website, phishing emails, ransomware and spam. Employees are often bamboozled by emails from ‘friends’ telling them to click on a link, no matter how badly written the email or how strange the context. There has also been a surge in ‘sexploitation’ emails that use information stolen from the individual from a breach or leaked data on the dark web and that threaten to ‘expose’ people if they don’t pay the blackmail sum. These emails often suggest that they’ve filmed people or tracked their online habits and promise to send the videos to their entire contact list. They are invariably fake and if they are clicked on, they allow the hackers access.
It is essential that organisations present employees with clearly defined guidelines around spam emails, teaching them how to recognise spam and emphasising the importance of never clicking on a link or attachment without checking first. It takes only a few seconds to ensure that the strange link from a friend is real, but it can take months to repair the damage if it isn’t.
04: Focus on the data Over and above making sure that employees secure devices and systems and have a solid understanding of the risks and how they present themselves, is the need to create clear protocols around the sharing and storing of sensitive information. The first line of defence is to ensure nobody introduces apps or programmes that are not approved by the company, the second is to ensure that companies use multi factor authentication with passwords that are complex and difficult to crack, the third is to give employees cybersecurity training so they are informed and understand the risks and the fourth is to show them exactly what happens if data is leaked or lost.
“There have to be repercussions for employees that know the rules and yet blatantly disregard them,” says Bornheim. “This can be minimised by creating a culture within the business that values security and doesn’t see it as a nuisance or an irritating box to tick. When people recognise the important role they play in maintaining security, they are more likely to listen to the rules.”
It’s worth providing all the suppliers, vendors, consultants, or any other external people with a clear mandate around accessing the company’s systems and maintaining security protocols. In 2013, US company Target experienced a significant data breach because its credentials were stolen from a third-party vendor. Cybercriminals will always aim for the weakest link to gain access to the company so make sure that your employees are not the ones that widen the gap and let them in.