Cyber security and cyber crime is increasingly being spoken about, given the high profile cases over the past few months. Companies are becoming increasingly aware of the external threats and the notion that no one is exempt from a potential attack. The mind instantly wonders to the image of an external hacker, but what about the insider threat?
Do employee’s really know their role in information security? Is greater education and culture change required?
On one hand, an employee may make an innocent mistake, such as accidentally sending sensitive information to the wrong recipient. However, on the other, recklessness may come into play. Google chrome engineers conducted a study which found that 75% of people would ignore security messages whilst closing a webpage, 79% ignored messages if they were watching a video and 87% ignored the message while they were transferring information, for example, a confirmation code. It is easy to have an “it wouldn’t happen to me” attitude, or be so focussed on having to get something done to ignore such messages, but they could have significant consequences.
A U.S firm Nuix commissioned a survey back in 2016 which found that 93% of respondents considered human behaviour to be the greatest weakness when it came to data protection. It would appear that employers need to start taking their data culture more seriously and provide better guidance and education. According to an ISACA survey last year, 76% of UK office workers did not know what ransomware was and 36% can’t confidently define a phishing attack.
We also cannot forget more malicious attempts that need to be considered. More recently, the consideration that former employee’s are also a significant risk to UK businesses has fallen into the lime light. OneLogin, conducted a study which found an estimated 58% of former employees can still access their corporate networks with approximately 24% of UK businesses having experienced data breaches by ex employee’s. “The sheer level of data breaches revealed by our study, coupled with the revelation that many businesses are failing to put simple processes in place to promptly deprovision ex-employees, should raise serious alarm bells for business leaders”, said Alvaro Hoyos, Chief Information Security Officer at OneLogin. “Our study suggests that many businesses are burying their heads in the sand when it comes to this basic, but significant, threat to valuable data, revenue and brand image.”
Companies need to start to invest in making sure that their information management systems are robust. But companies also need to start provide employee training, for both knowledge and a cultural shift of recognising importance.
The IAM is working with businesses through its development of Information Security Workshops, in line with the international security standard ISO27001. These workshops help employee’s to begin to ask the relevant questions and build in their own processes, ultimatley contributing to the resilience of their business and cyber security culture.