Ask the average man on the street what is the biggest threat is to enterprise security, and they'll develop a long list: foreign hackers, corporate espionage, and all types of James Bond-type scenarios. Ask a security professional the same question and you'll get a much simpler answer: People. Namely, employees. That's right, the “human factor” trumps all other security risks that enterprises face. Many of the security breaches we read about in the headlines have some sort of human element involved, whether that be falling for a simple social engineering ploy and unknowingly granting access to a hacker or something more devious devised by a disgruntled employee.
According to the Identify Theft Resource Centre, in 2015 alone there were 781 data breaches in the United States, resulting in the loss of 169.1 million records, the second highest year for data breaches since 2005. In 2015, hacking incidents reached a nine-year high—nearly 40 percent of all breaches—an increase of 8.4 percent over 2014. This was followed by the employee error/negligence category at 14.9 percent, more than double the 7.2 percent first reported in 2012. While certain types of data breaches are in general decline as a proportion of the total, data loss from hacking and phishing are growing rapidly.
According to a recent Data Breach Digest report from Verizon, social engineering attacks are so successful because threat actors know that humans are the weakest link in any information security strategy. They prey on people's natural curiosity, fears, pride and other factors of the human psyche to gain access to sensitive data. This usually involves something as simple as clicking a link or opening an attachment within an email that appears to come from a trusted source. The Verizon report shows how simple this can be:
- An employee getting a congratulatory email purportedly from the company's CIO for a job well done: “Click here for your achievement award.” Result: Attempted wire transfers totaling more than US$ 5 million (£4 million).
- A chief engineer looking for a job on company time gets an email from a recruiter with promising job opportunities: “Current openings are in the attached file.” Result: Stolen plans used by a competitor to enter the market more quickly.
Think your employees are too smart for this? Think again. Employees aren't dumb—they've been warned about the dangers of clicking links and opening attachment for years. Many laugh over the water cooler about the emails from banks in foreign countries declaring they've inherited £20 million from a deceased relative, or the bogus emails from PayPal or Apple that just want to “confirm” their account. But hackers have become increasingly astute at understanding what motivates humans to take an action and are creating clever ways to take advantage of that. These types of targets can be general, such as gaining access to all of a healthcare company's records, or they can be specific, such as gaining access to plans for a company's new product, as described above.
Unfortunately, even though employees are aware that these schemes exist, it's not changing their behaviour—or the behaviour of enterprises as a whole to provide better training. According to a recent report from Osterman Research, “employees need to be constantly sensitised and trained through security awareness programmes to be extra vigilant regarding their actions.” The report cites alarming statistics from recent survey of respondents that are involved in managing security capabilities for their midsize or large organisation. In that survey, only 31 percent of respondents considered “measuring the security readiness of our employees” a method used significantly or extensively to measure the effectiveness of their information security spend. This is compared with 49 percent who put a high priority on measuring for compliance with regulatory obligations.
The study also showed a significant gap between the importance of preventing data breaches between senior-level employees and middle management and “average” workers. While 77 percent of respondents felt their organisation was very well or reasonably well prepared to deal with the consequences of a significant data breach, the priority given to preventing data breaches varied significantly according to role within an organisation. For example, 71 percent of senior IT management placed a high priority on preventing a breach, while only 21 percent of “average” employees did. Line of business middle management (43 percent) and C-level line of business management (55 percent) were also alarmingly low in terms of placing a high priority on preventing data breaches.
The bottom line: Enterprise security may be a high priority for senior level management, but that urgency is not trickling down to the employees who are putting the enterprise's sensitive data—whatever form it takes—at risk. When security is a simple checkbox, the blame falls on the enterprise when human mistakes are made. Removing them from the equation as much as possible by using technology that prevents them from making simple “human” mistakes is critical to the security of the enterprise going forward.
Contributed by Greg Aligiannis, senior director security, Echoworx