Business owners would like to believe the biggest threats to their company — and livelihood — are external. But according to the 2017 IBM X-Force Threat Intelligence Index report, both the financial services and healthcare sectors saw a fall in attacks by outsiders but an increase in attacks by malicious insiders and inadvertent actors.
In financial services, 5 percent of attacks involved malicious insiders and 53 percent involved inadvertent actors. In healthcare, 25 percent of attacks involved malicious insiders and 46 percent involved inadvertent actors, according to the report.
Likewise, the 10th annual Verizon Data Breach Investigation Report found that 25 percent of the data breaches they investigated involved internal actors.
With that in mind, let’s take a look at four types of employees who could be putting your business at risk:
- Millennials: As this Fortune.com story points out, “Millennial employees could be your company’s biggest cybersecurity risk.” Why? Millennials tend to engage in risky online behaviors — like reusing passwords for a slew of different accounts or skipping two-step authentication. They also tend to embrace working remotely, and like to access files using cloud-based apps, like Dropbox or Google Docs, without getting permission from IT. They’re also more likely to go rogue and download unsanctioned apps even if their IT department has offered an approved alternative, according to this Softchoice research.
- The Careless: Did you know that according to the latest Verizon Data Breach report, 80 percent of hacking-related breaches leveraged either stolen passwords and or weak or guessable passwords? Yet many employees are careless when it comes to their passwords, according to this Softchoice research, which examined the habits of North American workers. One in five people opt to keep the passwords on a sticky note in plain sight; one in four people manage their passwords in a doc that is not password protected; one in five lost employee devices that were not password protected. Many of these folks know they should adopt safer practices, but they just can’t be bothered. They’re not malicious per se, they’re just a bit sloppy. If there’s someone on your team who fits this profile, it’s time for a very serious discussion.
- The Unaware: On the other end of the spectrum from careless is unaware. These are the folks who plain just don’t know any better. They haven’t had any training at work and safe cybersecurity practices are just not in their wheelhouse. According to the Softchoice study, a significant number of employees are unaware of the inherent risks of their careless technology habits. “Fifty-eight percent of all employees have NOT been told the right way to download and use cloud apps; 44 percent of all employees have NOT been told how to securely transfer and store private corporate data; 39 percent of all employees have NOT been told the risks of downloading cloud apps without IT’s knowledge,” according to the Softchoice research. In addition, this year’s Verizon Data Breach Investigation Report found that phishing scams are alive and well; 1 in 14 users fell for a phishing scam and followed a link or clicked on an attachment they shouldn’t have, and some people were duped more than once. The takeaway? You should definitely provide ongoing training about how to use and store private corporate data and teach employees about how to spot phishing scams and imposter email scams.
- The Recently (or About To Be) Fired: Unhappy employees or recently fired employees can wreak havoc on a business. “In 60 percent of cases, insiders abscond with data in the hope of converting it to cash in the future. But sometimes it’s a case of unsanctioned snooping (17 percent), or taking data to a new employer or to start a rival company (15 percent),” according to the most recent Verizon Data Breach Investigation Report. This Business News Daily story details warnings from the FBI and Department of Homeland Security (DHS) about how “fired or dissatisfied employees are posing a significant cyberthreat to U.S. businesses.” The FBI has investigated cases where individuals “used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts and gain a competitive edge at a new company.” Cloud storage websites and the use of personal email accounts enabled this behavior. Do you have an offboarding plan in place for your employees? Here are some tips from the FBI and DHS on how to prevent an issue (for more tips, visit this Business News Daily story).
- Make sure they can’t access your network after they’re terminated.
- All accounts tied with an employee or contractor should be terminated immediately after they’re fired.
- Administrative passwords should be changed immediately after IT personnel are let go.
- Avoid using shared usernames and passwords for remote desktop software.
One thing is clear — educating your employees should be a top priority when it comes to a cyber incident prevention plan. While education likely won’t prevent a recently terminated employee from turning on their former employer, for the first three employee types we highlighted, employee education is most certainly the answer.
The advice in this Harvard Business Review story sums it up nicely:
“User awareness programs are the key to educating insiders. Train your people, test them, and then try to trick them with fake exercises. These basics make a disproportionate impact but they do require work and perseverance.”
In this previous blogpost, we offer a slew of important issues you should train your employees on, like the difference between sensitive and non-sensitive data, data encryption, proper password usage and more.
It’s also important for your company to have a plan for data breach.
This is where we can help. LibertyID for Small Business prepares you with prevention planning, a crisis response plan and fully managed identity theft restoration for your employees (no matter how their identity is compromised) and for your customers should you experience a data breach. When a data breach happens, our team of specialists goes to work.
Is your business covered for a data breach?