As it turns out, the people you employ may be your organization’s greatest threat to cyber-security. According to a recent study completed by Finn Partners Research, employees pose a substantial cyber-risk to their organizations.
The study, including a survey of 500 full-time employees at various organizations across the United States, found that nearly 40% of workers openly admitted to clicking on links or opening attachments from senders that they did not recognize. While this may seem insignificant to the uninformed, this sort of cyber-security omission may lead to the installation of malware on company devices, ultimately allowing an attacker to harvest confidential corporate information.
According to Jeff Seedman, Senior Partner at Finn Partner’s, head of the firm’s U.S. cybersecurity specialty group, the fastest and easiest way for attackers to gain access to sensitive organizational data is for unsuspecting employees to click on “nefarious links”. Such threats can be embedded in company emails, websites and even employee personal devices.
The growing societal trend of BYOD (bring your own devices), according to the study, reveals that over 55% of employees are using personal devices for work engagements. This practice directly increases an organization’s exposure to security threats such as hacking, malware and data breaches. Employees often make the false assumption that their personal devices are secure; however, failure to update software regularly or utilization of proper protection practices, more often than not, challenges this belief. Should an employee’s personal device end up lost, stolen or hacked, an organization’s confidential information can easily be collected by opportunistic hackers.
“Two in five employees admitted to clicking on a link or opening an attachment from a sender they did not recognize.”
In this day and age, the annual cyber-security awareness training regimen just won’t cut it. With statistics indicating that upwards of 31% of respondents have already been a victim of such breaches or attacks, regular training should be an integral initiative across all organizations.
There are several initiatives that an organization can start today to help mitigate their organization’s cyber risk profile. First, take the time to address current cybersecurity concerns across the organization with employees. Monthly internal newsletters or training sessions may be employed to share tips and techniques to help employees protect themselves, and your organization’s data. Two-factor authentication (2FA) is also a core part of many organization’s defenses against phishing involving the theft/reuse of employee passwords. Most importantly, the annual use of a skilled and dedicated penetration testing team, such as Packetlabs, will indicate, in order of priority, your company’s cyber-security vulnerabilities.
Often, Packetlabs is engaged in the execution of phishing campaigns in order to evaluate user awareness. Such campaigns allow an organization to test and measure their employee’s resistance to phishing, ideally, without their awareness; similar to a fire drill. Managing Partner, Richard Rogerson, estimates that as many as 1 in 4 employees across most organizations open links, malicious documents or supply credentials to such campaigns which reinforces the requirements for more thorough training.