No matter how professional they are, members of your team – yourself included – are going to make mistakes. It’s true of every organization on earth. They’ll spill scalding coffee into the company copier. They’ll work overtime until the office is empty, then head home without thinking to arm the security system. Worst of all, they may unknowingly stumble into a cyber-attack that knocks your business off its feet.
In the majority of cases, that will be by design. There’s a saying in the cyber security industry, coined by renowned cryptographer Bruce Schneier: “Only amateurs attack machines; professionals target people.” When it comes to repeating the same process safely and autonomously, machines are less fallible than the average person sitting at a desk. Savvy hackers looking to steal funds from unsuspecting small businesses know this. So instead of developing a complex program that dances around the security measures designed into sophisticated modern technology, they target the imperfect human on the other side of the screen.
The strategy works disturbingly well. A Statistics Canada survey found that more than 20 percent of Canadian companies were hit by a cyber-attack in 2017, with businesses spending $14-billion on cybersecurity. Claudiu Popa, CEO at Informatica Security Corporation and one of the foremost cybersecurity experts in Canada, thinks the number of attacks is much higher. “We assume every company has been breached, but hasn’t detected it yet,” he says.
But how does it happen? There are three primary causes of employee-related breaches, each of them contributing to a sizable portion of hacks across the country.
1. SOCIAL ENGINEERING
Phishing remains one of the most prominent strategies deployed by hackers to lift data from small and mid-size businesses. The majority of these attacks stem from an employee clicking on a suspicious link that is embedded in a convincing email. To lure your team into the trap, cybercriminals often use data gathered from a brief investigation of your organization from the Internet or social media. Maybe they pose as a security expert contracting with your company or a member of a customer support team behind one of your employee’s personal devices. Whatever mask they wear, it doesn’t take much to convince a trusting individual to click on anything at all, resulting in a high success rate for phishing attacks.
2.CIRCUMVENTED OR INCORRECTLY IMPLEMENTED SECURITY MEASURES
Even if you do everything you can to protect your business from digital attack, your team may just dodge those measures anyway. According to a report by cybersecurity firm Dtex Systems, around 95% of companies have employees who will attempt to override previously implemented security processes. And that’s if the security measures are configured, patched and installed properly in the first place. The IBM X-Force report lists “misconfigured cloud servers” among the chief concerns of last year.
3. INSIDERS WITH MALICIOUS INTENT
An employee scorned is not to be taken lightly. A strikingly large number of breaches come not from error at all, but from insidious tactics by disgruntled employees or undercover criminals looking to make a quick buck. It’s not quite a “you can’t trust anyone” scenario, but there are definitely people out there who wish to harm your business either for their own gain or as a means of retaliation.
With each of these in mind, it’s vital that you incorporate extensive employee training and vetting protocols to maximize their cybersecurity know-how. In addition, you need to implement safe practices that reduce the room for human error, alert employees when something is amiss and protect them from the worst.
We can help. allCare IT is happy to provide employee training as well as network scans and protection. Don’t hesitate to call us if you feel that your business may be at risk or send in a ticket to firstname.lastname@example.org.