Cybersecurity technology can keep your organisation’s sensitive information safe against external threats. But it won’t be anywhere as effective against threats that come from within your business.
In Nucleus Cyber’s 2019 Insider Threat Report, 70% of organisations said they believed insider attacks are becoming more frequent and 56% think insider attacks are getting harder to detect.
State-of-the-art cybersecurity technology is advanced enough that it’s often not worth a criminal’s time trying to take it on directly. This is why 99% of cyberattacks require human interaction to work. Exploiting someone’s mistake, laziness or self-interest is far more likely to get them access to your data.
Cybersecurity threats caused by employees come in three distinct forms.
An inadvertent threat is when someone within your organisations causes a data breach through carelessness. It is when a breach is caused by an innocent mistake. It happens when someone doesn’t even realise that they could be putting your business at risk.
This could be as simple as clicking a link that looked trustworthy that turned out to be malicious. Someone might not see an issue with using the same password on their personal Facebook account as they do on their work emails. Someone might leave backups of their work on unencrypted flash drives that end up in the pocket of a bag they donate to a charity shop.
Here, no one is trying to harm your business. Those at fault would change their behaviour if they fully realised the potential consequences and knew that their actions were putting your business at risk. This kind of threat is caused, ultimately, by a lack of knowledge and understanding.
A negligent threat is when policies are wilfully ignored by a user even though they have no malicious intent.
This could be someone switching off their multi-factor authentication because they think the extra step is a waste of their time. It could be someone not bothering to back up their data because they assume they won’t lose their laptop.
The 2019 SMB Cyberthreat Study reported that 66% of SMBs believe a cyberattack is unlikely to happen to them, even though they are a popular target for criminals. The 2019 Hiscox Cyber Readiness Report saw a significant increase in cyberattacks aimed at SMBs over the past year.
This attitude in itself is a negligent threat.
These threats leave your business open to exploitation because someone doesn’t realise how reckless their choice to cut corners really is. They operate under the assumption that they will be fine despite the odds. It might happen to a lot of people, but they are sure it won’t happen to them.
Again, no one is actively trying to harm your business, but they are aware that their behaviour doesn’t meet necessary security standards. They’re choosing to ignore them because they don’t realise the risks their actions pose to your business.
A malicious threat is when someone within your organisation is trying to cause damage. They know exactly what they are doing and have made a conscious decision to harm your business. They actively take advantage of the access they have to your data for their own personal gain.
They might have this access legitimately and are abusing that position within your organisation. Or they might be exploiting a less privileged position within your organisation to break into stores of information they should not have access to.
There are a number of factors that could drive someone to intentionally breach your data. It might be the financial incentive of being able to sell on sensitive information, potentially having been bribed or otherwise manipulated by an external source. They might hold a grudge against your organisation for whatever reason and want to cause disruption in retaliation. They may just be the kind of person who likes causing havoc and thinks that risking their employment is worth the chaos.
This type of insider threat happens when someone values their self-interest over the privacy of your business and your customers.
Strong cybersecurity begins with ensuring that your staff are well trained and knowledgeable. They need to understand how their approach to sensitive information can pose risks to your business and be motivated to take the necessary measures to keep your organisation safe.