The Human Factor in Cyber Risk is the biggest cyber threat that businesses face today……
Businesses recognize the cyber risk created by the outside threat of a hacker but the human factor or insider threat is the greater threat . By virtue of human nature, people are susceptible to making mistakes and it is this unpredictability that offers most businesses most concern and the ability in which to manage this.
- The Kroll Annual Global Fraud and Risk Report identified that 56% of businesses advised that insiders were the key perpetrators of cyber security incidents , with former employees being a high percentage of these at 23%.
- The Mimecast study last year showed that 45% of businesses felt that they were not prepared against insider attacks.
A PWc report prepared last year also found that current employees are the top insider cyber risk to UK businesses, so what are the main forms of cyber risk that are bought about by human factors…..
Motivated by a user wishing to cause a businesses harm, possibly for revenge or spite due to frustration at work, reward by an outside organisation or competitor.
As an insider they do not need to get around firewalls and can avoid detection and are normally in a position of trust where their actions are not questioned.
The attacks consist of deliberate acts such as :-
Infection of Computer Systems with Malware
An employee could deliberately inject a malicious software in the businesses computer system which would cause disruption.
Selling of Passwords
This could lead to corporate data being being stolen and passed to a competitor
Abuse of Internal Logins
The Ponemon Institutes’ study on the Insecurity of Privileged users last year identified that 21% of the respondents felt that privileged access was not actually necessary. The report highlighted that users with access to the most sensitive information are the most likely to be an insider risk.
These are caused by carelessness and lack of awareness perhaps during a busy period at work, at a certain time during the day after lunch or a Friday afternoon when thoughts could be on the weekend.
An inadvertent transmission of a virus via an e-mail that could corrupt a third parties computer system
The leaving of a lap on a train or in shop
Uploading of sensitive information that may be sent out into the public domain.
An employee may open an innocent looking attachment to an e-mail which contains a virus that compromises the business computer systems. This is known as a phishing attack and could lead to the system being locked down from a ransomware virus attack.
Phishing attacks can be targeted i.e Spear Phishing or ciculated non discrimently.
Poor Password Housekeeping
An employee may keep their password by writing it on a postit note on their computer screen or have this written on their desk note pad, this provides an opportunity for another employee to access their computer profile.
Examples of Insider Attacks in the UK
40,000 customer accounts of Tesco bank out of a total of 136,000 were subject to suspicious transactions, 9,000 of these had money stolen from their accounts. The sums taken were relatively small varying up to amounts of £600 but eventually totaled £2,500,000. It is suspected that the compromise of the customer accounts were as a result of an insider.
The accounting and HR software firm suffered a data breach, which appeared to be an insider attack. Employee data of 280 UK customers was accessed and possibly compromised. It is understood that an internal login was used to gain unauthorized access to the data.
An insider published details of the entire Morrison 100,000 employee database which appeared to motivated as a revenge attack. The employee was likely to have taken advantage of his privileged rights. A number of employees have now launched legal action against Morrison’s
Ten ways to help manage the Human Factor
- Ensure that cyber security policies and procedures are in place
- Introduce staff awareness of current cyber security threats
- Robust training of staff on all aspects of cyber security
- Employee conduct review prior to joining company
- Monitoring of employees that are leaving the company in terms of their on-line activity
- Monitoring of internal network activity and review of unusual activity
- Assessment of large amounts of data being accessed or moved
- Sharing of best practices
- Restriction of administrator login
- Purchase of cyber insurance to help mitigate losses
The Human Factor can also be one of the best defences against cyber attacks if employees are appropriately trained and aware of the changing threat landscape that businesses face.