Article

• Jul 07 2022

Human error: Why employees are your biggest cyber security threat 

4 min read

A chain is only as strong as its weakest link, and cyber security’s weak link is almost always people. 

When we talk about cyber threats, the focus is usually external —active hostility from outside of the business — but within a company, the behaviour of the organisation’s own employees represents danger too. Even the best security measures can fail when there are cybersecurity knowledge gaps.

Here are the most common internal cyber security hazards and how to protect against them.

How your teams compromise your cyber security

Passwords

The NCSC’s UK Cyber Survey found that the most popular password in the UK was ‘12345’, followed by ‘123456789’, ‘qwerty’, ‘password’, and‘1111111’ - it’s little surprise, then, that passwords are a major security gap for so many businesses.

It’s understandable why people have poor discipline when it comes to passwords. We have a password for just about everything electronic, as well as every profile and online account, and the very things that make passwords strong are what make them exhausting to keep remembering and typing many times a day. It’s no surprise that people choose basic passwords and use the same one for multiple devices and accounts.

While password fatigue is no surprise, the bad habits that result are still a threat, for the obvious reason that an easily guessed password won’t keep malicious users out.

Patching

When cyber criminals discover software vulnerabilities, the developers patch them as soon as possible. However, if users don’t download the latest updates, they don’t get the patch, and their software still has vulnerabilities that hackers know how to exploit.

Physical

Not every cyber threat is purely digital. Leaving a laptop open and unlocked in a café is a glaring security error, but one that many don’t take at all seriously. In the hybrid working environment, that kind of remote working threat is only more common.

Even in the office, not every team member will be sensitive to who is present in the building. Interviewees or guests from other companies can easily access documents and data if they’re left on screen, or printed out and sitting on an unattended desk.

Similarly, when passing through a security door or gate, realistically not many people will prevent a tailgater from following them. The immediate social pressure is more powerful than the threat of security compromise.

Misdelivery

Start typing in the ‘to’ section of an email and the software will probably suggest some recipients. Accepting a suggestion without checking can mean sensitive information easily reaches someone who shouldn’t have it.

Alternatively, choosing ‘cc’ instead of ‘bcc’ could mean a data breach that results in a GDPR fine, as happened to the NHS, which inadvertently shared not only email addresses, but also did so in the context of highly sensitive communication.

How organisations can reduce internal cyber security threats

Kaspersky found that 44% of companies don’t believe their employees properly follow IT security policies, but that only 26% intend to enforce those policies.

When a security breach is due to the actions of an employee, the company is still ultimately to blame — better technology, leadership, or culture could easily have prevented it.

Here are the areas for improvement that will protect your organisation from within.

Culture

10% of workers don’t lock their smartphones, though 41% have the same device for work and personal use. That suggests a very casual relationship with security among a lot of workers. Those kinds of habits (or lack of them) are hard to shift with directives and instructions, especially if those instructions are only on one of many induction documents that are quickly scanned and forgotten.

A data security culture takes a long time to build, and hard work to maintain, but you can ensure greater success with technology and leadership.

Technology

Your security culture will embed much easier when it’s supported by easy-to-use technology. Making it simple to follow security protocols (or difficult not to) will remove a major barrier.

Things like multi-factor authentication, user behaviour analytics, and cloud security can transform the company’s relationship with data and security.

Leadership

Cyber security experts who can understand a business and inspire change (rather than impose it) are hard to find and secure, but they’re the leaders that your business needs if you’re going to make fundamental changes and developments.

For help discovering and attracting those leaders to your organisation, contact us at people@rpint.com. Our vast talent network and industry expertise deliver the talent you need to make your business secure from the latest cyber security threats.

RPI provides access to the top leadership and technology talent globally