According to Experian’s Managing Insider Risk Through Training and Culture Report,66 percent of respondents admit that employees are the weakest link in their efforts to create a strong security measure for their companies.
Have you ever thought about how much damage a user can bring to the organisation by clicking a spam link or downloading a malware infected attachment?
If you are curious to know about it ..I recommend you to continue reading this blog.
The statistics here reinforces the statement that humans are the weakest link to implement strong cyber security measures.
1.66% of malware linked to data breaches was installed via malicious email attachment
Verizon Data Breach Investigation reports that the users are among the main contributors to the data breaches by downloading malicious attachments.
The spam emails may contain attachments infected by various malware which enters into the system as the user downloads it. The malware is programmed to steal the users’ data and share it to the unknown sources.
What does it mean for the organizations?
1. The organisation should train the learners on how to deal with emails which contain attachments. For example, the users can scan the files mandatorily before they are downloaded. This should be included as a part of e-mail security under the infosec e-learning course designed for the employees.
2. The organisation can implement firewalls that filter emails with large sized file attachments from unknown senders.
3.The organisation can even include the option of flagging a threat which allows the IT team to inspect and decide about a suspected malware attack or threat.
2.91%of cyberattacks begin with a spear phishing email
With the innovative methods being adopted by the cybercriminals and hackers, it becomes increasingly difficult to identify phishing emails.
The hackers try to create a state of urgency by including statements like your ‘online bank account is hacked’ or attract the users with lucrative offers like “you have won the jackpot ”
The users are lured to click the spam link and on clicking, the system gets infected by malware or the hackers dupe the users to share their bank account details like login credentials etc.
For example, there are hundreds of users who fell in the trap of faNigerianian lottery scams which made them believe that they have won jackpots worth millions
What does it mean for the organizations?
1.As a part of infosec e-learning include activities centered around identifying phishing and spear phishing emails. Make them practice this time and again. For example, a spam or phishing email may have poorly constructed english. The spam links are usually not ‘Https’ etc.
2.Organisation can enable firewall policies to restrict the users from visiting external links
3. Inadvertent disclosure (such as an employee mistake) is 17 percent
All organizations, regardless of size, turnover face the serious challenge of inadvertent disclosures by the employees. The disclosed information might even include the competitive advantage of the enterprise,or other confidential information.
BakerHostetler Data Security Incident Response report states that based on more than 560 data security incidents managed by the firm, 17 percent was caused due to human errors such as inadvertent disclosures.
What does it mean for the organizations?
1.Train the employees on the risks associated with inadvertent disclosures. It will be beneficial to implement this as a part of ongoing infosec e-learning. A branching scenario-based approach will help here informing the learners about the consequences of inadvertent disclosures.
2.Frame policies and regulations that can act as guidelines for the employees. (for example, training the employees on the clean usage of social media websites)
4.Cloud-related cyber attacks saw a significant 424 % rise due to human errors
Today, more and more organisations are moving into the cloud to host the data. The AWS servers, Google cloud. IBM etc are some of the major players. While hosting the files on the cloud servers, the organisation should ensure that they are correctly configuring them. For example, if the permissions to access the data are set to public, then the hackers can easily exploit the loopholes to enter into the servers and steal the data.
The 2018 IBM X-Force Threat Intelligence Index findings showed that inadvertent activity such as misconfigured Cloud infrastructure was responsible for the exposure of nearly 70 percent of compromised records tracked by IBM X-Force.
This is supported by BakerHostetler Data Security Incident Response Report which states that data breach happened on the cloud because permissions were set to “public” instead of “private,” and was responsible for six percent of incidents out of the total 560 data security incidents handled by them.
What does it mean for the organizations?
1. This shows the importance of established policies by the organisations that decide about the IT infrastructure guidelines.
2. With established guidelines, even a fresher or new joinee can simply follow the instructions and it reduces the chances of any other human errors.
5.Hacked passwords cause 81% of data breaches
Verizon Data Breach Investigation Report states that the number of data breaches involving stolen or weak passwords has gone up to 81 percent.
123456789…
123456
12345
Password
qwerty
letmein
football
iloveyou
admin
Welcome
Believe me, these were some of the worst passwords that were set by various users across the globe in the year 2017. Choosing such weak passwords helps the hackers to easily steal your online credentials.
What does it mean for the organizations?
1.The organisation should train the employees on the importance of choosing a strong password combination like
• Always use passwords that use combinations of letters numbers and alphanumeric characters.
•Don’t use the same passwords for multiple accounts
•Don’t disclose your passwords to anybody
These statistics reinforces that human errors are still a major contributor to the cybersecurity breach.
Hence I feel that there is an immediate requirement to find a solution to it.
I recommend the organisations to implement effective cyber security e-learning or infosec e-learning programs, that can create awareness among the users .
Also with e-learning programs, the organisation can effectively use various e-learning strategies like e-learning games, gamification , scenario based e-learning etc to engage the audience. For example, a scenario based e-learning on info security or an e-learning game can engage the learners actively.
