PER USE CASE
The top security risk you face isn’t zero day attacks or a cabal of expert hackers. Learn why your hybrid workers pose the biggest threat to your organization, and how to keep them safe.
ARTICLE | 5m read
July 12, 2022
We all make mistakes. Perhaps we left our laptop open when we got up at a coffee shop. Maybe we clicked a link inside an official-looking email. And who among us hasn’t used the same password across multiple web apps or company logins? These errors are simple, commonplace, and seemingly harmless—but they also represent the primary security threat to your organization. Such mistakes are what the 2022 Verizon Data Breach Investigation Report describes as “the human element” in cybersecurity, which is the source of a staggering 82 percent of data breaches.
It’s critical we take the human factor of security seriously. This is not an invitation to abandon your ongoing investments in cybersecurity tools and technology, nor is it a call to end remote access to sensitive data for hybrid workers. Instead, we must recognize the large impact human behavior has on security and use this insight to design a security strategy that both protects employees wherever they work and keeps company data safe.
The Harvard Business Review reported that malicious or negligent insiders were the top threat to your data security back in 2016, and this risk has intensified in today’s age of hybrid work. Why? Because remote and hybrid work dramatically expand the surface area for security risks as remote employees rely more on personal devices and public networks to access private company apps and information. This means your IT team needs to centrally monitor, manage, and secure more endpoints than ever. At the same time, bad actors are stepping up their attacks to take advantage of hybrid work vulnerabilities.
Security tools like zero trust network access and web application firewalls address this issue from the technology side, but there is an underlying risk actor that no security tech can fully stop—the end user. There’s a reason 54 percent of companies consider employee mistakes the biggest threat to their sensitive data. End users with verified access to your apps and data can make business-ruining mistakes before anyone in IT could notice or stop them. To echo an earlier point, this is not reason to never trust any hybrid employees again. Instead, this is a dire warning that no amount of security technology can fully protect your organization unless it’s paired with security training for every employee.
Training employees to work securely begins by understanding the top threats to hybrid workers. For example, ransomware attacks have increased by 13 percent in the last year alone. Sophisticated ransomware represents huge financial risk as well as a massive threat to your business reputation—especially if you work with personal identifiable information (PII) or classified materials. To prevent your organization from appearing in another ransomware headline story, you need to train your hybrid workers on how to avoid the errors that lead to ransomware attacks.
The primary human errors that ransomware uses to enter an organization’s system are clicking on phishing emails or allowing access credentials to be stolen. Phishing might seem like an antiquated worry, especially when you learn that only 2.9 percent of employees may actually click on a phishing email. However, bad actors can easily send thousands of phishing emails at a time—and they only need one person to click a link to breach your system and make an illicit profit. Stealing access credentials has become nearly 30 percent more common since 2017, so you also must teach employees to recognize how bad actors use social engineering to trick workers into sharing login information. Social engineering refers to a bad actor deceiving someone into giving up protected information, such as a hacker posing as an in-house IT worker and calling your employees to “confirm” their password and email address.
Human error is often exploited offline as well. It’s easy for a lost and unlocked laptop, tablet, or smartphone with access to a company’s web apps or data to lead to a major security incident. Even as the pandemic reduced business travel, the Verizon DBIR confirms that if you entrust portable devices to employees, a certain percentage will misplace or leave them where they can easily be stolen. For example, the most common type of theft is the result of leaving a computer in a personal vehicle.
To prevent human error from causing a major data breach, you need to increase the security IQ of everyone in your business and join the 85 percent of security decision makers who see security as a shared responsibility for all employees. Boosting security IQ for all workers includes lessons like understanding the importance of complex passwords. Too many employees prioritize passwords that are simple to enter and recall, then reuse these easy-to-crack passwords across multiple sites. Strong passwords are especially important if hybrid workers access work data on personal devices, as a weak password makes it simple for a bad actor to breach the company network using a stolen device.
Using strong passwords is only one example of how to get employees to improve their security behavior. As you implement a security awareness and training program, it helps to provide access to key security information inside quiz-based mobile apps. With a median interaction time of 15 seconds, these short quizzes educate individual users about the unique risks they face as well as the impact of those risks on themselves and the organization. This shows both employees and managers which security behaviors are most in need of improvement, helping to create a stronger security culture across your company.
Security technology will always have a key role to play in keeping ahead of zero-day threats to your web apps and business data. Your IT team is essential for managing your new endpoints and overseeing new security tools. But you must never forget how vulnerable your cybersecurity can be to human mistakes. By treating your employees as the front line of security strategy and increasing their security IQ, you can help them handle business data securely and be excellent stewards of your customers’ trust.
Learn more about the state of security in our hybrid work world by reading this report.