Malware infections and data breaches are trending upward. In its “State of Malware Report,” security company Malwarebytes detected nearly 1 billion malware payloads in 2016, with ransomware taking the lion’s share and accounting for 66 percent of all attacks. Meanwhile, Help Net Security noted that Office 365 account compromises are on the rise as cybercriminals use legitimate-looking phishing emails to trick users and steal their credentials.
The logical conclusion: Cybersecurity threats for small and midsize businesses are driven by active, malicious cybercriminals hell-bent on causing trouble. However, according to a new survey from Keeper Security and the Ponemon Institute, titled “The 2017 State of Cybersecurity in Small and Medium-Sized Businesses,” more than half of IT experts point to another source: employees.
Unintended Consequences of Cybersecurity Threats
Most staff members aren’t trying to expose small and midsize businesses (SMBs) to cyber risk. While it’s possible that disgruntled current employees or ex-staff members could use their credentials to cause havoc, it’s typically not worth the risk.
So what’s happening? Put simply, the consumerization of technology has unintended consequences. Users are now accustomed to having personal device access anytime, anywhere, leading them to leverage insecure cloud apps. Since nearly half of business-critical applications can be accessed via tablets and smartphones, employees may accidentally leak confidential information.
Far and away the most worrisome attack vector is phishing. As noted by the Keeper Security report, 54 percent of SMBs experienced a cyberattack in the past year, and 79 percent of those attacks were phishing efforts.
Recognizing Key Issues
So how do companies solve the problem of staff-based cybersecurity threats? The first step is recognizing key drivers.
A recent poll conducted by Centrify found that bored employees represent the biggest single risk to data security. It makes sense, since staff members who aren’t paying attention won’t catch potential threats.
Another problem is lack of training. Many phishing messages are well-written, contain seemingly legitimate links and may even come from email addresses within the company. Add in the social stress of urgent mail supposedly sent from finance or C-suite leaders, and it’s no wonder employees are willing to click through to compromised sites. Even if they realize something has gone awry, employees may not report the issue to IT for fear of being reprimanded or fired.
Solving the Problem
Solving for employee-sourced cyberattacks isn’t a perfect science. No matter how much SMBs invest in training and education, there’s always the chance of a breach. However, it is possible to significantly reduce total risk.
Start with clear, hands-on training. Teach staff members what a phishing email looks like, then provide real-world scenarios to help spot them. Make it clear that not responding to suspicious emails won’t lead to punitive measures, even if these emails later turn out to be legitimate.
This step is critical. Since SMBs must operate at full capacity to hit revenue targets and stay competitive, employees often feel like they’re better served taking the risk on suspicious emails rather than contacting IT or asking the sender for verification. If management, IT and staff members are all on the same page, however, it’s possible to sidestep most phishing attempts.
Clear mobile device policies are also critical. Since most SMBs will allow employees to use personal devices to boost productivity, IT teams need to hold the line on installing remote-wiping apps and restricting access to files as needed. Offering a corporate virtual private network (VPN) and educating staff members about public Wi-Fi risks can also strengthen the organization’s security posture.
The bottom line is that SMB cybersecurity threats are on the rise, and employees are the source of the problem. Security leaders can limit the chance of compromise with better training, clear policies and management support.