IT professionals’ biggest security concern is their fellow employees

The people you hire to manage your organization’s data are the ones most likely to breach it, says IT security company Balabit. It surveyed 400 IT professionals across Europe and the US, and found that 79% were hit by a cyber attack in the past year, half of which were employee-related.

Respondents agreed that employees were a major vulnerability, with 69% saying it was their biggest cyber security threat. Organizations need to be concerned about the threat of both accidental breaches, such as an employee misplacing a portable device, and malicious actors, i.e. employees who misappropriate information for their own gain.

“Attacks are becoming more and more sophisticated and every organization is at risk,” said Balabit Security Evangelist Csaba Krasznay. “Security is no longer about simply keeping the bad guys out. Security teams must continuously monitor what their own users are doing with their access rights, as part of a comprehensive and cohesive security strategy.”

Privilege misuse

The report found that 44% of data breaches were caused by people using accounts that had access to privileged information. This includes both the owners of the accounts or a hacker. Either way, the breach could have been mitigated, if not prevented, had the organization employed access controls.

Access controls ensure that individuals can only access information that is relevant to their job function. Without these, any employee could browse through, say, the organization’s HR files and access their colleagues’ contract information, address, and other sensitive data.

However, access controls don’t stop privilege abuse (i.e. people with access rights breaching information), nor do they stop people from hacking into privileged users’ accounts. Tackling privilege abuse is very hard – although we’ll discuss how to do so below – but the threat of hacking is easily mitigated. Almost all instances of password hacking are caused by employees choosing weak passwords or writing them down where someone can see them.

Organizations should establish policies that outline secure password practices. There is a lot of different advice about what makes a good password, but it’s generally accepted that it should be a combination of at least eight letters, numbers, and special characters.

This will make remembering passwords harder (particularly as passwords should be unique to each account), but you can keep track of them with a password manager, such as 1Password or LastPass.

Password practices should be one of a number of policies dedicated to cybersecurity, and organizations should dedicate time and resources to making sure employees are aware of them. Respondents to Balabit’s survey agreed, with 80% saying that educating employees is essential to staying secure. Not only does this prevent cybersecurity incidents, but it also improves company culture and makes it less likely that employees will abuse their privileges.

How to deliver staff awareness training

Knowing exactly what employees need to be taught is hard enough, but organizations also need to find a way to deliver those lessons. Sitting employees down in a classroom is often impractical, either because you can’t get everyone in a room together at the same time or you don’t have someone in the organization with enough experience to lead the course.

IT Governance understands these issues, and offers several solutions to improve staff awareness programs. Our Information Security Staff Awareness E-learning Course provides an overview of the issues your staff needs to know, and it can be completed at a time that’s convenient for them. All you need to do is provide them with a link to the course, tell them to complete it within a set time frame, and check that they passed the course.

Larger organizations might want to go the extra mile, which is why we offer our Security Awareness Program. This includes a comprehensive review of your cybersecurity practices and advice on how to improve them.

The course improves employees’ engagement with cybersecurity, changes staff behavior, and achieves lasting security awareness. It does this by incorporating a variety of learning tools, which are aligned with your unique requirements and organizational culture.