One of the biggest security risks is inside your organization
As Cybersecurity Awareness Month draws to a close, it’s time for something a little scary just in time for Halloween. The title of this post draws from a popular horror movie trope—the calls are coming from inside the house—that originated in the 1974 film Black Christmas. And when it comes to cybersecurity, it’s true that the danger is already inside. Even worse…it’s supposed to be there.
The risk comes from employees and other authorized users. Yikes!
“They’re heeere.” – Poltergeist, 1982
Often when we think of security risks on the inside, it’s a malicious insider—a disgruntled employee or corporate espionage. However, while Verizon’s 2022 Data Breach Investigations Report found that the “human element” factored in 82% of data breaches, only 18% of breaches were attributed to malicious insiders.1 More often, well-intentioned users are duped or make a mistake, as the top two causes of data breaches in 2021 were stolen credentials and phishing.2
Phishing isn’t new or newsworthy like ransomware, but it’s still extremely dangerous. Just like when the group of teenagers in a horror movie split up to investigate the creepy haunted house, some people make poor choices. In fact, one report found that 42% of people surveyed admitted to taking dangerous action with a phishing email last year, ranging from clicking a malicious link to giving away their credentials.3
Working from home is also adding new attack vectors. While more and more companies allow their workforce to be remote at least part of the time, only 37% educate their employees on security best practices. That can result in some scary statistics, such as 40% of workers not using a password on their home Wi-Fi network.4
“Whatever you do, don’t fall asleep!” – A Nightmare on Elm Street, 1984
Often in horror movies, a character makes a big mistake that might seem innocuous any other time, like falling asleep or investigating an odd noise. Seemingly minor mistakes cause issues for cybersecurity as well, with human error responsible for 13% of breaches.5 Misconfiguration of cloud storage is a large driver of this figure, but it can also include simple carelessness, like sending confidential information to the wrong email address.
Social engineering is another pitfall, with 75% of survey respondents citing it as the top threat to cybersecurity at their organization.6 While phishing falls under this category, it also includes methods such as:
- Pretexting – fabricating a scenario or pretending to be someone else over email, phone, or social media in order to convince the target to bypass security policies
- Quid pro quo – promising something in return for information, like goods or money
- Tailgating – physically following people into restricted spaces, which often involves a helpful employee holding the door open for the intruder
“The truth is out there.” – The X-Files, 1993
Attackers take advantage of human nature, which can range from people trying to be helpful to just being gullible. To combat this, people require training to examine scenarios with a dose of skepticism. Critical thinking would probably make a number of scary movies much shorter with very different outcomes.
Many organizations mandate security awareness training for their employees, and the good news is that it does work. 84% of U.S. organizations said training has reduced the number of phishing failures.7 One education company stated that phishing test failure rates went from 32% before training to just 5% a year after training.8
Security tools and automation can also help reduce human error or its consequences. Multi-factor authentication can render stolen credentials worthless. Even something as simple as a notice that pops up telling someone they’re about to send an email to an external address could prevent a costly mistake.
With increased education and a few guardrails in place, insiders become less of an accidental threat. When they understand what clues to look for, they’ll go from being tricked to knowing how to avoid every horror trope.
- Verizon, 2022 Data Breach Investigations Report, May 2022
- IBM, Cost of a Data Breach, August 2022
- Proofpoint, Proofpoint’s 2022 State of the Phish Report Reveals Email-Based Attacks Dominated the Threat Landscape in 2021, February 2022
- ibid.
- Verizon, 2022 Data Breach Investigations Report, May 2022
- Cyber Security Hub, Social engineering “most dangerous” threat, say 75% of security professionals, August 2022
- Proofpoint, Proofpoint’s 2022 State of the Phish Report Reveals Email-Based Attacks Dominated the Threat Landscape in 2021, February 2022
- KnowBe4, KnowBe4’s 2022 Phishing By Industry Benchmarking Report Reveals that 32.4% of Untrained End Users Will Fail a Phishing Test, July 2022