Educating employees on cyber risk is essential to protect both the employee and the company, but in today’s fast-paced technological environment raising awareness requires more than distributing written manuals
Cyber risk is consistently high on risk managers’ agenda and it is therefore no surprise that, at 47%, cyber terrorism, theft and extortion came out as the top emerging risk that will impact on employees in StrategicRISK’s people risks survey.
This was followed by two other technology risks; robotics and automation, and the Internet of Things, were cited by 19% and 12% of respondents, respectively. These results show that risk managers worry about the impact the fast-paced developments in technology will have on their workforce.
Lance Henderson, head of sales and relationship management at Zurich Global Employee Benefits Solutions, says employers need to make staff aware of how to protect their data, but he also sees a potential role for the insurance industry.
“Something we may see develop is employers providing some sort of employer-sponsored insurance for employees to help deal with the issues related to cyber risk or identity theft, because having their identity stolen greatly affects an employee’s ability to do their job. Cyber security in relation to the workforce is about education and perhaps some level of insurance protection, but this is not yet being provided through employers.”
Analysis by Verizon into 2260 data breaches found that better cyber risk awareness among employees could also greatly benefit businesses, as 17.7% of all successful data breaches were due to miscellaneous errors. More than a quarter of these (26%) involved sending sensitive information to the wrong person.
Other findings included that 63% of confirmed data breaches involved leveraging weak, default or stolen passwords. Employees could also be trained to better recognise phishing emails, as 30% of phishing messages were opened and 12% of targets went on to open the malicious attachment or click the link.
Robert Schifreen, IT security commentator, trainer and broadcaster, says hackers use clever psychology when putting together a phishing email. “They’ll send an invoice that’ll say ‘If you think there’s been a mistake, please click here’. Or they’ll send a summons, pretending that it’s from the Oxford Magistrates Court, that says ‘You’re due to appear next Tuesday at 10am or you can click here to settle out of court for £3000 or if you intend to defend this, please click here’. Of course employees are going to click it.”
|WHICH EMERGING RISK DO YOU BELIEVE WILL HAVE THE BIGGEST IMPACT ON THE PEOPLE IN YOUR BUSINESS?|
|Cyber terrorism, theft and extortion||47%|
|Food system shock||2%|
|Robotics and automation||19%|
|The Internet of Things||12%|
|Super nat cats||9%|
Cyber criminals use sophisticated techniques to gain access to companies’ data. Employees need to be educated on cyber security measures, but businesses need to recognise that technology is changing faster than employees can handle, according to Anders Esbjörnsson, group risk manager for Swedish construction company NCC and a FERMA board member.
“Companies must allow some more time for employees to adapt, and make sure people set aside time for training programmes on the most essential tools and how to use IT. They should explain how cyber crime takes place, the importance of safe passwords, how to save their work, and so on. Manuals and written guidelines are certainly not enough.”
WHEN AN ASSET TURNS INTO A LIABILITY
When clicking on a link or opening an attachment from a phishing email, the employee unwittingly lets cyber criminals into the company’s IT system. Better education enables companies to protect its greatest asset – its people. However, corporates not only face threats from outside the organisation – sometimes the enemy is within.
Verizon’s analysis found that 16.3% of data breaches were due to insider and privilege misuse. A third of these were motivated by financial gain, while 25% can be linked with espionage, such as the theft of intellectual property.
These data breaches are often harder to discover too, with 70% involving insider misuse taking months or years to uncover or reveal.
Insider threat is also a key concern among risk managers, with 42% of respondents to StrategicRISK’s survey citing unethical or fraudulent activities of staff or contractors as within their top three of people risk issues.
Understanding the motivations of hackers – be they outside or inside the organisation – helps to improve cyber security, but Schifreen believes this is one of the areas where companies fail in their cyber defences.
“The way you protect yourself against a bored 17-yearold is very different from how you protect yourself from serious organised crime, cyber terrorism or ransomware. People hack for all sorts of reasons and you need to understand that.”
Click here to read the full report on StrategicRISK’s people risks report
HOW TO PROTECT AGAINST INSIDER AND PRIVILEGE MISUSE
• Know your data: You need to know what sensitive data you have, where it is, and who has access to it. Governance should ensure that access is limited to those who really need it and actual access is checked against this list.
• Monitor user behaviour: Track system usage – particularly access to data that can be used for financial gain – and revoke access immediately when employees leave.
• Track USB usage: Don’t leave yourself in a position where you only find out that an employee has taken data after they have left.
Source: Verizon’s 2016 Data Breach Investigations Report
TIPS TO PREVENT MISCELLANEOUS ERRORS
• Learn from mistakes: Keep a record of common errors that have occurred in the past. You can use this to improve security awareness training and measure the effectiveness of your controls.
• Strengthen controls: Consider using data loss prevention software, which can restrict sensitive information being shared outside the company.
• Implement thorough disposal procedures: Make sure your assets are wiped of sensitive data before they are sold.
Source: Verizon’s 2016 Data Breach Investigations Report