Are employees really the weakest link in your cyber-defense strategy?

Posted by:

It’s been touted for awhile that people, be they employees, business partners or consultants, are the true weakness in the cyber defenses of an organization.

It is people – all with some level of access to the inner sanctum of the network – that have been a main focus for malicious agents (aka “the bad guys”).

It isn’t rocket science as to why – as technology gets more complex and savvy, it is more difficult to sneak into a system undetected from a position of zero trust. You are too reliant on chance, such as finding existing vulnerabilities or exploiting a zero-day.

But if you have someone on the inside, then the job is much much easier. The task at hand now is to fool or convince these employees into parting with a valuable piece of information.

Of course, these leaks can happen because the employee is disgruntled or frustrated. Perhaps they are going to a new job and are trying to leave with some confidential information. Or maybe they are really annoyed that they were passed up for promotion so they are hoping to disrupt operations in retaliation.

However, these types of attacks are rarely successful.

Most of the time, information leaks that stem from insider information take place because the person on the inside of the company is simply unaware that whatever information was passed on put the entire organization at risk.

Imagine for a second that a sales rep receives a harried call from “the IT Department” demanding her email password in order to stop an attack in progress RIGHT NOW.

But of course the call doesn’t originates from the actual IT team (though our sales rep wouldn’t have the first clue about how she might verify that), and the attack is fabricated to lend the call some urgency, cut down on probing questions, and get the recipient to follow orders rather than think critically about what is going on.

Let’s be honest here. We are obviously a rather trusting species who as a general rule don’t very much like acting skeptical every time someone says they need something from us.

Yet, this is what many cybersecurity folks have been asking of employees for over a decade.

Ultimately, the responsibility of the organization is not only to secure the environment, employees, customers and data from detrimental cyber harm, but to encourage employees to be as efficient and effective as possible to help grow the operation, be they delivering products or services.

And this very requirement means that employees will likely always be the Achilles heel from a cybersecurity point of view.

But all is not lost. Thankfully, we have technology and services to help us mitigate against these types of threats. For example, event logging can sound a silent alarm when unusual operations are recorded on the system, such as Sally downloading the entire contact list, or Fred’s credentials are being used on a new device. While it is possible that these actions are appropriate, there is also a chance that these actions are for nefarious purposes. Endpoint, email and web security software can monitor and block unusual behaviors from taking place. Firewalls monitor the perimeter, encryption and backups help to secure data….

There are thousands of security options out there. Depending on your company objectives, services and modus operandi, certain security elements may be very useful, others may be detrimental to your end goals.

Getting an expert security risk assessment will balance your needs and budget and prioritize your security requirements. Are you focusing on the right attack vectors? Is your data locked down? Who has access to your most prized data and why? What hurdles would an attacker have to bypass to lay their hands on X or Y?

Knowing the answers to these questions like these helps you provide a much safer environment, safeguarding employees, your organization, your customers, and your data.

More information
If you want to learn more about how Risk Assessments can help you, give us a shout. We are here to help.

0
  Related Posts
})
SEC Cybersecurity Exams