Tracking Which Employees Could be the Root Cause of a Cyber Attack

Kon Leong at Harvard Business Review wrote an excellent article about the problem of employees exposing your organization to cyber threats through human error. Here is an extract:

Today, cybersecurity has expanded far beyond its traditional domain of external threats, typified by external hackers attacking network vulnerabilities. It now includes insider threats, which are much more complex and difficult to manage, as evidenced by some very serious recent insider breaches, such as those involving Edward Snowden and Chelsea Manning. The nature of insider threats can be categorized into malicious, accidental, or negligent, and account for a combined 39% of all data breaches according to recent research.”

The article suggests four areas where you can significantly mitigate this risk:

  1. Rethink employee training;
  2. Identity high-risk users and intervene;
  3. Shape the solution to the human user and not vice versa;
  4. Constantly adapt to changing threats.

They make a few excellent suggestions on how to get a program like this really effective, because recent research by the Ponemon Institute indicates that employee training is tied as the third-most-effective method of decreasing the per capita cost of a breach, right after extensive use of encryption and assignment of an incident response team.

  • Consider frequent and interactive training sessions;
  • It’s a case of train, retrain, and repeat;
  • Use the tried and true method of simulation, sending out mock-phishing emails.

They end off with: “It’s true that to err is human, and humans will keep erring. But increasingly, technology and improved practices can help you identify those employees who are most at risk of exposing your company to a cyberattack — before it becomes a major problem.”

Excellent ammo to add to a request for IT security budget for security awareness training.

We can add to this the following from a ransomware report by AlienVault:

Security professionals rank user awareness training the most effective tactic to prevent and block ransomware (77%) followed by endpoint security solutions (73%), and patching of operating systems (72%) as preventive approaches to ransomware threats.

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

This blog originally appeared on KnowBe4.

Stu Sjouwerman
About the Author
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4 Inc, a provider of the most popular Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Along with his CEO duties, Stu is Editor-in-Chief of Cyberheist News, an e-zine tailored to deliver IT security news, technical updates, and social engineering alerts. Stu is a four-time Inc 500 award winner and EY Entrepreneur of the Year finalist.