No matter how professional they are, members of your team – yourself included – are going to make mistakes. It’s true of every organisation on earth. They’ll spill scalding coffee into the firm copier. They’ll work overtime until the office is empty, then head home without thinking to arm the security system. They’ll neglect key accounts, muck up workflows and waste hours developing convoluted solutions to simple problems. And, worst of all, they may unknowingly bumble into the cyber-attack that forces your professional services firm to go belly-up for good.
In the majority of cases, that will be by design. There’s a saying in the cyber security industry, coined by renowned cryptographer Bruce Schneier: “Only amateurs attack machines; professionals target people.” When it comes to repeating the same process safely and autonomously, machines are less fallible than the average person sitting at a desk. Savvy hackers looking to boost funds from unsuspecting small to medium professional services firms know this. So instead of developing a complex program that dances around the security measures baked into sophisticated modern technology, they target the hapless folks on the other side of the screen.
The strategy works disturbingly well. According to IBM’s 2018 X-Force Threat Intelligence Index, more than two-thirds of firm records compromised in 2017 were due to what they call “inadvertent insiders” – team members who left the front door wide-open for the bad guys without even realising it. Negligence, lack of awareness and sheer bad luck put the best-laid plans to shame on both sides.
But how does it happen? There are three primary causes of employee-related breaches, each of them contributing to a sizable portion of hacks across the country.
1. SOCIAL ENGINEERING
Phishing remains one of the most prominent strategies deployed by hackers to lift data from small and midsize practices. The majority of these attacks stem from an employee clicking on a suspicious link that is embedded in a dubious or absolutely convincing e-mail. To lure your team into the trap, cybercriminals often use data gathered from cursory investigations of your organisation from the Internet or social media. Maybe they pose as a security expert contracting with your firm or a member of a customer support team behind one of your employees’ personal devices. Whatever mask they wear, it doesn’t take much to convince an uninformed individual to click on anything at all, resulting in a high success rate for phishing attacks.
2.CIRCUMVENTED OR INCORRECTLY IMPLEMENTED SECURITY MEASURES
Even if you do everything you can to protect your professional services firm from digital attack, your team may just dodge those measures anyway. According to a report by cyber security firm Dtex Systems, around 95% of companies have employees who will attempt to override previously implemented security processes. And that’s if the security measures are configured, patched and installed properly in the first place. The IBM X-Force report lists “misconfigured cloud servers and networked backup incidents” among the chief concerns of last year.
“Negligence, lack of awareness and sheer bad luck put the best-laid plans to shame on both sides.”
3. INSIDERS WITH MALICIOUS INTENT
Hell hath no fury like an employee scorned. A strikingly large number of breaches come not from error at all, but from insidious tactics by disgruntled employees or undercover criminals looking to make a quick buck. It’s not quite a “you can’t trust anyone” scenario, but there are definitely folks out there who would sell your professional services firm right out from under your nose.
With each of these in mind, it’s vital that you incorporate extensive employee training and vetting protocols to maximize their cyber security know-how. In addition, you need to implement safe practices that reduce the room for human error, alert employees when something is amiss and protect them from the worst.
We can help. It’s difficult to overhaul your cyber security, especially on the people side, without a round-the-clock team dedicated to pinpointing the weaknesses in your organisation and working to patch them up. In 2019, human error is poised to take an even more central role on the stage of digital crime. Don’t leave it up to chance. Partner with an organisation that has extensive expertise in training employees on security basics and bolstering your defences, and head into Q2 knowing your most precious assets aren’t up to the whims of an unlucky employee.