The common maximum today, is that when it comes to cyber security, people are the weakest link. Research suggests that insiders are responsible for some 60% of breaches, and that the number of these incidents has risen by 47% since 2018. However, while the term “insider threat” is often used to describe a deliberate act, in reality, there is a wide range of possible incidents, ranging from accidentally clicking on a malicious link to intentionally stealing data.
There are four main types of insider threat, pawns, goofs, collaborators and lone wolves. Pawns are employees who are manipulated into unintentionally carrying out malicious activities, through social engineering or spear phishing. They might accidentally download malware, or give their login credentials to a bad actor without thinking. Goofs, while not malicious, take deliberately and potentially harmful actions. These guys are either ignorant or arrogant and don't believe that security policies apply to them, and actively try to bypass controls for their own convenience. Finally, collaborators actively co-operate with competitors or nation states, using their access to steal IP or disrupt operations, and lone wolves operate without outside influence (think Edward Snowden).
There’s not much organisations can do about the last two, but rather than deal with human error and ignorance, they should take the time and spend the money on educating their workforce, organisation wide, on cyber security. Threat actors are actively looking to exploit employees across the spectrum, so working with them to protect both of them and your business through training and education is common sense.
This is particularly true in today’s digital and post-COVID world where almost everything is connected, people are working from home, and are attaching to the corporate network via one or more of their own devices. Training and education will help staff members exercise vigilance, particularly if done on a regular basis. In their day-to-day business, employees will be able to identify attack vectors more easily, and will automatically think twice before clicking links or opening attachments in emails. Moreover, they will stop using easily hackable passwords, and will be more cognisant of software updates.
All in all, education and training equip the workforce with the skills and tools, and understanding of the protocols they need to make the mental adjustments that will go a long way towards protecting your organisation. Also, the understanding and expertise they gain will make employees significantly more comfortable when it comes to reporting any security incidents or anomalies that might indicate that something is amiss.
In addition to all of this, creating an enterprise wide culture of cyber security will take a fair amount of pressure off of your IT and security teams. With the exception of large multi-national companies who have the budgets to employ separate cyber security teams, until now, cyber security has been the purview of the IT team, who have many other technology-related tasks they need to do. Freeing them up by ensuring you have fewer cyber security incidents happening because your staff members are not falling into the old traps, can only benefit everyone.
And training and education is not only for general staff. Cyber security professionals also need to keep their skills relevant. We live in a world where threats are constantly evolving and changing, meaning cyber security is not an easy field to keep abreast of. Security practitioners need to stay in the game, and be constantly learning, training and practicing. Any additional techniques and information that they can add to their arsenal to help them stay one step ahead of the threats could prove invaluable. they need to develop new skills to stay ahead of the trend cycles, where advances in technology quicken the development of products and services. This, in turn, leads to new ways of doing things, and technology is no different.
And yes, of course, investing in cyber security education and training means you will have to spend money, particularly if you plan to make it a regular event. However, if you think about the cost of a breach, which goes way beyond data loss, to incorporate reputational damage and potentially huge regulatory fines, or paying to get your data back in the aftermath of a ransomware attack, it’s a small price to pay in the long run.