Any cybersecurity analysis will show that employees, mostly via human error, are almost consistently the largest risk in any organization. The 2019 Cyber Security Risk Report by Aon says that 51% of cybersecurity companies have reported malicious internal activity in the organizations they safeguard, but these activities make up a tiny percentage of employee-related cybersecurity incidents.
Instead, the Cyber Security Breaches Survey by IPSOS MORI reports that as many as 57% of breaches have an origin in human error, such as clicking on phishing links, granting the wrong permissions, losing devices, installing ransomware, and accidentally sharing access to private data.
Mitigating these risks means taking steps to ensure employees are aware of risks, that measures are in place to reduce accidental breaches, and that measures are in place to prevent malicious internal activity. The following mitigating measures will greatly reduce cybersecurity risks from employees.
The first step to mitigating risks is to identify them. In most cases, you can start with your general cybersecurity risk report, which many organizations need for compliance, and narrow results based on those related to employees. Here, some of the most common risks include:
The Verizon Data Breach Investigation Report shows that 81% of hacker-related breaches occur because of password issues, including lost, stolen, weak, reused, and shared passwords.
n the Global Print Security Landscape, 2019, Quocirca shows that 11% of all cybersecurity incidents are print related. These issues include human error, network issues, print files left in printers, and hacked printers.
32-33% of all cybersecurity issues relate to phishing or social engineering, with 62% of organizations having experienced a phishing incident.
Just 5% of business files and folders are properly protected, with 22% of all files on servers accessible to everyone in most organizations, giving the average employee access to some 7 million files – with access revoked sometimes as late as 2 years after employee termination.
There are many other risks and types of risks, but for most organizations, these present the most common employee-related issues.
Offering regular employee training sessions on topics including phishing, securely using software, and on cybersecurity risks will reduce the number of issues in your organization.
People often get complacent when nothing happens or they have time to forget about issues, so offering regular (think once a year) workshops, occasional practice sessions, and free resources across the organization can reduce the number of employee-related issues.
Some hot topics here include:
You may want to offer other workshops in your organization depending on your own risk profile.
Passwords make up a huge part of hacking, but they result in issues in other ways. For example, many organizations use legacy software with single-user accounts. The entire organization might share a password, which is public knowledge and rarely changed.
Implementing password management tools like LastPass or Roboform allows you to share passwords as necessary across the organization, without showing them to anyone. Most password management tools also allow employees to automatically choose a secure password, to automatically change passwords every 3-6 months, and prevent using the same password on multiple sites.
Password management can also help with compliance-related issues, but security should likely be your first consideration.
Implementing a user-access management matrix is important for controlling user access rights to software, tooling, and data. User access management allows you to grant account access to files, folders, and systems on an as-needed basis, with remote management and monitoring.
This allows IT or security teams to review breaches and access attempts in real time, to update access in real-time as-is-needed, and to immediately revoke access when a user is terminated, or their account engages is suspicious activity.
Virtual Private Networks function to protect software, cloud tools, and databases no matter what device the user logs in from. This creates a more secure environment, with more protection in case the user’s device is compromised, more protection from users on unsecure WIFI, and more control over who accesses SaaS, servers, and databases.
Virtual Private Networks allow you to offer a single user key, which they can use to log in from either any device or from a single approved device. This reduces the likelihood of a hacker being able to leverage stolen passwords or data to access a network.
Central management of networks, printers, servers, and users should be a critical part of any IT environment. Most organizations leverage cloud, support remote and flex work, and utilize hundreds of devices on each network.
Leveraging remote management allows IT to automate monitoring so that suspicious activity can be immediately flagged and reacted to. While not all environments will support remote management, most cloud solutions have it built in, and it will likely come as a standard element of managed print services and similar solutions.
It’s also important to ensure your organization implements strong firewalls and antivirus or antimalware across servers and devices. Some 97% of businesses have experienced a malware attack, but they are typically so low-cost as to not have priority.
Firewalls become truly valuable when preventing active malicious attacks, such as keyloggers and cloning devices, that can grant hacker access to the system. Employees are your greatest cybersecurity risk, but in most cases, actual risks relate to human error, phishing, and access management issues, which you can mitigate with education and good management tools.
Virtual classrooms are rapidly rising in popularity, offering schools, universities, individuals, and organizations low-cost yet efficient ways to deliver information and training. Studies by organizations like ATD Research show that 86% of organizations have already implemented some form of digital learning, citing reasons like low cost of development, cheaper cost of deployment, and on-demand access.
Taking steps to get ready for the holidays means IT teams will have more freedom to spend time away for the holidays, with fewer business costs and fewer likely incidences. In most cases, these measures, including work-from-home and flex work, remote network management, and automation will benefit your business year-round.