Why employees are a threat to cyber security

According to the Cyber Security Breaches Survey, 80% of companies reported phishing attacks, while 28% noted incidents involving impersonating an organisation in email or online and 27% reported viruses, spyware or malware, including ransomware attacks, in the last 12 months.

Many companies fail to consider that their personnel are just as important as the software they use when it comes to protecting themselves against cyber threats. There is an assumption that employees, particularly new starters, have a basic knowledge of IT and IT security, but these skills are not being checked within the first month of employment.

A survey conducted by Evaris found that 65% of UK professionals did not receive mandatory IT training in their first month of employment in their current or most recent role. Of these individuals, 74% had never received any IT training at all in their current or more recent role, despite 86% of all respondents saying that they worked on a computer every day.

In addition, there is a consensus that employers do not value the ongoing development of employees’ IT skills, as 45% of respondents said that they felt their employer didn’t take this issue seriously. Only 11% said they felt that their managers take the matter of their wider IT knowledge “very seriously”.

How are employees targeted by hackers?

There are a number of low-tech methods that are adopted by hackers that specifically target employees – some of which may seem too simple to be believed. Methods include:

• Social engineering – hackers posing as people within an organisation to obtain access to the network, for example, presenting themselves as a member of IT security and asking for a network password.
• Baiting – hackers use data captured about an employee to trick them into revealing information. An example is using the information listed publicly on LinkedIn to target a junior employee by posing as the CEO to request an action to be carried out.
• Unsubscribe buttons – hackers coax employees into downloading malware by hiding links to malware sites in email unsubscribe buttons, which must be included on all marketing emails.
• Keylogger – also known as keyboard capturing, this technique records and stores strokes of a keyboard and can often pick up personal email IDs, passwords and other sensitive data.
• Internal threats – current or former employees can gain unauthorised access to confidential data, or infiltrate a business’s network with malicious intent. This can include infecting machines with keylogging software or ‘shoulder surfing’ – the act of observing someone typing their password.

What should businesses do to improve cyber security amongst employees?

An effective cyber security strategy must involve appropriate controls to maintain a base level of security, and a monitoring system to look for attempts to violate the policy. This should be underpinned by training for all employees. It is in the best interest of all businesses to ensure their workers have all the knowledge, awareness and skills they need to help protect an organisation against cyber attacks and data breaches.

Each and every person in the workforce – from the minute they are employed – should receive IT training to help them understand data management, protection and disposal best practice. The threat of cyber attacks should never be underestimated, and it is up to employers to ensure that their staff have the tools they need to ensure company data is protected at all times.

By Terry Saliba, Solutions Architect at Evaris