Company employees as well as people who work for the company’s contractors and third-party suppliers often bear responsibility for cyberthefts, whether they’ve acted maliciously or inadvertently.
* By Mary Lou Jay *
When you hear that companies have suffered a cyber-related data or monetary loss, your immediate reaction may be to assume that the culprits were automated bots fielded by foreign hackers or software security systems that failed to perform effectively. While those are frequently factors in such breaches, they’re only part of the picture.
Many cyber breaches include an employee element: Joe Smith who clicks on a phishing email, Sarah Jones who accesses her work email on an insecure Wi-Fi at the local coffee shop or Amanda Garcia who has never changed the default password for the payroll system. Company employees as well as people who work for the company’s contractors and third-party suppliers often bear responsibility for cyberthefts, whether they’ve acted maliciously or inadvertently.
The size of the problem can be difficult to determine. A June 2017 report from IBM Security and the Ponemon Institute found that 24 percent of data breaches were caused by negligent employees; a recent Verizon data breach investigation report attributes 28 percent of cybersecurity incidents to insiders. But IBM X-Force 2018 report said that inadvertent insiders were responsible for more than two-thirds of the total records compromised.
Cybersecurity expert John Sileo, who will be speaking at the 2018 MHI Executive Summit in October, agrees with the larger number. “Human decisions and errors, whether intentional or accidental, make up more than 70 percent of the data loss that we see,” he said. “It might be as simple as clicking on a phishing link, responding to a whaling scheme or forgetting to do your job.”
Cyber criminals are relentless in their attacks. In the first quarter of 2018, McAfee reported that there was an average of five new cyberthreats every second. An onslaught like that can be difficult for humans to resist.
“The sheer volume of automated cyberthreats that exist in the market place mean that people with low levels of cyber awareness are going to click on links that are getting increasingly sophisticated in masquerading as legitimate email communications and legitimate transactions,” said Dante Disparte, founder and CEO of Risk Cooperative. “The internet is to cyberthreats what a petri dish is to bacteria; it’s a breeding ground for these things, and much of it is very deliberate and heavily automated. I think people’s general good intentions are being exploited.”
While employees can be a big part of the problem, they’re also key to dealing with cyberthreats.
“Many companies see human beings as the weakest link in cybersecurity. I see them—us—as the most necessary and strongest line of defense,” said Sileo.