Your Users Are Your Biggest Threat

Cybersecurity risks cannot be fought or solved simply with technology.

Even with the best policies, processes and tools in place, employees will always remain your biggest security risk since they are closest to your sensitive data. Whether malicious or accidental, human error can sabotage even your best efforts at keeping your company secure. So how can you put yourself and your employees in the best position with today’s changing security landscape?

Begin by educating your users

Most employees aren’t technology experts and they likely don’t understand just how insidious cyber threats can be. Without properly educating your workforce to be aware of social engineering and other exploitative behaviors they may experience, they won’t know to take every necessary safety precaution. In essence, by not training them on what to watch for, you’re leaving your network’s backdoor open for criminals.

All it takes is for one employee to receive an email from their “manager” marked high importance. They immediately open it, download the attachment – and with it, malware – all without even realizing the implications of their small action. By taking various training measures, you could have drastically reduced the chance of that attempt becoming a successful attack.

…then test them

With the support of your executive team, consider requiring all staff to become “security certified” by participating in training sessions that end with a passing score on a test. This will not only ensure that they understand how their individual actions contribute to the success or failure of the company’s security efforts, but gives you an opportunity to identify concepts that may need additional training.

According to a 2017 study, when companies educate their staff on security best practices, they see a 93% success rate at getting employees to put that knowledge into practice.

To make sure what they’ve learned hasn’t gone in one ear and out the other, consider launching proactive (albeit fake) spear phishing campaigns to remind employees just how easy it is to fall victim to a cyber threat. Similar to the training exam, this exercise also helps you identify users or groups who may need retraining, and helps inform you of how often you need to go over best practices.

Get employees invested in keeping your company secure

Security doesn’t have to be a push-pull between end users and IT staff. A security breach hurts everyone in the company, so in addition to educating end users on how to identify a threat, make sure they understand why they should care and the severe implications an attack may have. For example, a ransomware attack could take a significant toll on the company’s revenue, which could have the potential to threaten their jobs. Cybersecurity is an abstract concept that has very real consequences, and the most important thing you can do after ensuring you have the right technology in place is to empower employees with knowledge on how to stay secure.

Control privileged user access

Privileged users often pose the biggest threat to a company’s security, as they have the greatest access to a company’s data and intellectual property, coupled with the fewest controls on their accounts, making them the ideal target for cybercriminals. If they happen to have malicious intent, privileged users can also be the most challenging internal risks to identify since they’re the ones at the forefront of the (supposed) security efforts.

Consider limiting the amount of privileged user accounts in your organization, and review them regularly to make sure that levels of access granted are not greater than needed. Hold trainings specifically for privileged users on proper ways to manage their access, such as logging out of systems, using two-factor authentication, never sharing passwords and creating difficult-to-hack credentials.

According to a survey of nearly 700 IT professionals, despite their awareness of insider risks, only 40% of respondents have dedicated funding in their budgets to fight insider threats.

Instill an open door policy

You can provide the best security education to end users and they may answer every question correctly on your test, and still, they may make a mistake in real life. Keep an open dialogue between your IT team and employees so they aren’t afraid to report to you when they suspect something malicious has happened or if they’ve accidentally clicked a link that seems sketchy. By creating an environment where staff is encouraged to come to IT openly, it increases your ability to identify issues before they become catastrophic.

Don’t have the resources to adequately train end users? Fill out the form below to learn more about how our adoption and training services help companies increase their security and lower potential risks.

h

Check out the next article in this chapter

Skip to the next chapter

Share This