Accidental or malicious insider threat: staff awareness makes the difference

Securing your company’s boundaries reduces your chances of being attacked by external threats, but what if the threat comes from the inside?

According to data security company CODE42, 78% of security professionals state that negligent and careless staff are the biggest threat. Why is that? Because staff don’t follow security policies and procedures, causing data leakage or inadvertently helping cyber criminals’ get into the company system. 90% of the organisations interviewed experienced at least one insider threat each month (the average is 9.3 insider threats per month!), which means that every month they had to manage consequences like business disruptions, heavy fines and, in the worst cases, business closure.

The exposure of internal data, files and information can be accidental or malicious – no matter its cause, staff negligence is responsible for data loss more than 40% of the time. If accidental exposure is caused by lack of security awareness – staff don’t know the consequences of their misbehaviour – malicious exposure is the opposite: they are quite aware that their conduct is causing harm to the company.

Accidental exposure

Accidental exposure happens when your staff are not alert and vigilant. They’re unaware of the risks and consequences of cyber attacks, and don’t know your security policies. This can caused by:

  • Social engineering – staff falling victim to phishing and vishing attacks in which con artists manage to obtain sensitive data (like login access, for instance) by impersonating someone who staff trust;
  • Poor password security – staff set up weak passwords or have bad habits like sharing them or writing them down somewhere, thereby allowing access to unauthorised people;
  • Unauthorised download of infected software and applications without the IT department knowing about it – these downloads might contain malware that can spread across the whole network.

What can you do? Educate your staff. How can you do that? With e-learning courses like the Phishing Staff Awareness and Information Security Staff Awareness courses. Your staff will understand the risks of cyber insecurity with real-world scenarios and best practices, while your company will see a reduction in the perceived security risk.

Malicious exposure

Malicious exposure usually happens when employees, former employees or former third-party vendors want to cause harm to the company to satisfy their desire for revenge. What they do:

  • Infect the system with malware;
  • Sell corporate data;
  • Anything to cause real damage to the company.

Part of the blame goes to the company itself that didn’t block or change login access to keep staff out once they leave. With a more accurate user access management policy, this malicious intrusion can be easily avoided.

Tips to increase staff security awareness

Staff is the weakest link in the security strategy equation, but you can make it stronger if you follow the below tips:

  • Share your company security policies with your staff and ensure security procedures are understood;
  • Spread the news of latest cyber attacks to make your staff aware of what to expect and what to be suspicious of;
  • Provide staff induction training and annual refreshers with e-learning courses;
  • Share security best practices;
  • Involve your staff in the fight against cyber crime by inviting them to report any suspicious activity.

E-learning courses are the best option to increase your staff’s security awareness: through real-life scenario, tips and questions, they help your staff understand critical issues and compliance requirements mandated by international standards like ISO 27001, the Data Protection Act and the PCI DSS.

Read more about our e-learning courses >>