Educating the Insider Threat
When it comes to protecting an organization against cyber attacks people often think their biggest concern is blocking unauthorized access from outside their network. Protecting your organization with the right technology is absolutely necessary, but it’s not enough.
What about the insider threat? Authorized users who are already inside your network or have inside knowledge about your infrastructure.
While statistics vary on security breaches related to insider threats, a common theme is:
Statistics for insider threat breaches date back many years, are extremely high and are on the rise.
Reports from 2015 show over 50% of security breaches were due to insider threats. Reports released for 2017 show this number rising to almost 75%.
Where breaches from insider threats are found to be unintentional, in most cases they could have been avoided with user awareness training, stronger security policies and support from leadership.
Unintentional means falling victim to phishing attacks, accidentially visiting malicious websites and clicking on malicious links.
What’s interesting about the information above are the solutions listed to avoid these breaches have been the same for years. Yet security breaches due to insider threats continue to increase.
Based on what cybersecurity experts are seeing across all industries, these attacks are on the rise. They increase every year and each year they are becoming harder to detect. With a little surveillance using public information the techniques used in these attacks are becoming more complex. Phishing attacks are increasing. A phishing campaign is easy to launch and cost very little to support. Ransomware transformed from a threat targeting specific industries in 2016 to going global this past year. Malicious websites continue to popup like weeds. As technology advances so will the simplicity with launching attacks.
With an increase in attacks there must also be an increase in awareness training. Users, employees, stakeholders… however you want to refer to them. They are your greatest assets in protecting an organization.
Educating users and raising security awareness are a must. Educating is not a once a year class to check a box on user awareness training. This is where many fall short. Educating is constant awareness and communication, being sent to all users about active threats not only hitting your organization but also threats hitting industries near home to help you get in front of potential threats. Educating is not checking a box.
Protecting an organization from cyber threats has always been a challenge. Being one of the “good guys” you are always on the defense and in a reactionary state. The ultimate goal is to prevent an attack. However, if you have ever been in the thick of one of these incidents you already know this goal shifts to how quickly you can identify, contain and shut it down.
If you work in cybersecurity, take advantage of the low hanging fruit mentioned above that is a finding every year to help prevent security breaches. Educating users and raising awareness.