According to PwC’s Global State of Information Security® Survey 2015, employees have become the most-cited culprits of information security incidents – whether intentionally or not. The percentage of respondents who pointed at current employees as the cause for incidents has jumped by 10% since 2013. Moreover, 32% of the respondents of the 2014 US State of Cybercrime Survey said that insider crimes are more costly or damaging than those committed by outsiders.
Employees are often the primary target of cyber criminals, who use sophisticated techniques to manipulate individuals into helping them steal corporate or personal data.
The technical security controls organisations apply to their computer systems can do little or nothing to change the behaviour of the people responsible for data. As a result, the human factor remains one of the weakest links in information security, while cyber security awareness continues to be a big gap in many organisations’ overall security approach.
But all is not lost: there are some measures organisations can adopt to counter the insider threat.
Most employees won’t harm their organisations intentionally. If they become the cause of an incident, this will be most likely due to lack of knowledge, negligence or simply human nature. Moreover, Sony Pictures Entertainment’s data breach has demonstrated that employees’ own sensitive information is also at stake. Therefore, it is as much the employees’ responsibility to protect sensitive information as it is the employer’s duty to educate employees about cyber security and what it means for the organisation.
The implementation of an information security management system as defined by the ISO27001 standard can support the development of an integral staff awareness programme as well as other activities necessary for the improvement of the information security within an organisation.
Security awareness training can deliver quick returns by raising employee awareness of information security best practice as well as cyber threats. It is not only fundamental for effective information security management within an organisation, but also helps meet specific requirements mandated by ISO27001, the Data Protection Act (DPA) and the PCI DSS.
Employee phishing vulnerability assessment
With the growth of malware, increased usage of social media and mobile apps, and the proliferation of phishing attacks, the cyber security challenges that organisations face are becoming tremendous.
With this in mind, educating employees does not provide the full answer to the problem of the human factor. Organisations have to become more creative and sophisticated; they should test employee knowledge, identify weaknesses and make improvements.
Conducting a comprehensive employee phishing vulnerability assessment, for example, will identify potential vulnerabilities among employees and provide recommendations to improve your security, providing an organisation with a broad understanding of the risks associated with staff, and how these risks can be addressed.
Access control management
A report from Ponemon Institute for Varonis (Corporate Data: A Protected Asset or a Ticking Time Bomb?) revealed that 71% of employees have access to data they shouldn’t see. 54% of the end users said they access such data frequently or very frequently, while 80% of the IT professionals surveyed said their organisation doesn’t enforce a strict least-privilege data model.
ISO27001 is the best solution to tackle the problem with unauthorised access – the Standard provides comprehensive guidance on access control management including user registration, privilege management, user password management and more.
Implement ISO27001 by deploying IT Governance’s fixed-price ISO27001 implementation solutions, designed to meet any organisation’s preferences for tackling ISO27001 compliance projects.