Are Untrained Staff the Biggest Threat to Business?
Cybercrime is a widespread topic of concern and recent findings suggest that companies should not only worry about threats from external sources but also the increasing risk of internal threats. Ray Woodford of SGS looks at how businesses can better educate their staff on information security.
When an employee accidentally opens a social media scam or phishing email, in most situations (after panicking) his or her immediate reaction is to promptly close the link, discard of the evidence and breathe a sigh of relief that the problem has hopefully disappeared or been resolved.
The chances are that some of you have probably fallen subject to this slip-up on at least one occasion and it may have seemed harmless at the time, but this type of incident can be a business’s worst nightmare when it comes to keeping its information secure.
According to the 2015 HM Government Information Security Breaches Survey, 50% of the worst data breaches in the year were caused by inadvertent human error and at least 75% of large organisations suffered a staff-related security breach (up from 58% in 2014). These findings suggest that humans are currently the biggest threat to business and, despite whether their influence is deliberate or unintentional, data breaches by staff are rising.
The Human Factor
So what actually happens when an employee carelessly clicks on an unsafe link? When a dangerous email link is opened it can result in malware being downloaded onto the equipment. This then leaves the equipment/network open to a variety of attacks; from financial loss or data loss to extortion (e.g. Cryptolocker). In addition, a high proportion of cybercrime is known to occur due to partial involvement of a rogue insider or an ex-employee. A recent LogRhythm Survey revealed that 86% of UK consumers do not know what spear phishing is, while 40% of those have accidentally shared confidential information through clicking on suspicious links. Despite this, 66% of staff members do not receive any form of cyber security training. The disturbing reality is that if employees are not adequately trained then they are less likely to understand how to deal with or identify possible security breaches. Hackers can then exploit this vulnerability in order to infiltrate networks and open the door to an endless abyss of data.
Instead of focusing too much attention on the latest software on the market, companies need to be proactive and invest more time in educating their staff about the issue at hand. Employees need to understand that they too have an individual role to play in keeping their company’s information secure. Technology alone will not protect a company from an attack. Many cyber threats are now growing at a faster rate than the development of technology used to combat these threats. It is crucial for organisations to ensure that they have adequate information policies and procedures in place, along with a high level of staff awareness training, so that their employees are easily alerted to suspicious activity. Building a culture of information security throughout a company will help to reduce the risk of data breaches and minimise effects on assets and systems.
Safeguarding Yourself With ISO 27001
The HM Government Information Security Breaches Survey also found that organisations with security policies and internal education programmes experience a third less in terms of breaches. Furthermore, the study confirmed that ISO 27001 – the Information Security Management Systems (ISMS) standard – remains the world’s leading standard for security management. It provides a best practice framework to help manage and protect information by considering every risk critical to identify potential threats. Certification to ISO 27001 also ensures that companies are meeting regulatory obligations and that their processes and procedures are good enough to protect the information that is vital to their business.
To help mitigate the risk of internal threats by ignorant or unsuspecting employees, ISO 27001:2013 focuses equally on training and the role of leadership to drive communications down to all executive levels so that staff are constantly informed about new policies.
Increasing numbers of organisations are now demanding evidence that their suppliers and business partners comply with information security management standards to protect themselves against cyber breaches. ISO 27001:2013 demonstrates the integrity of a company’s systems and their ongoing commitment to information security. This gives both current and potential customers confidence that their data is safe and secure.
Helen Pullin, Organisational Improvement Manager at Enact (one of the UK’s largest specialist conveyancers that has been certified to ISO 27001 by SGS) said; "Enact has found that ISO 27001 certification has brought many benefits; it has provided a recognised structure for our information security policies and controls, and a formalised approach to identifying improvements and implementing them in a way that employees understand and commit to. But probably the biggest benefit is that it sets us apart from our competitors and gives our clients and referrers reassurance that their customers' data is in safe hands."
Organisations open themselves up to potential cybercrime if their information is not kept under lock and key. If an organisation experiences a data breach it can take them months or even years to recover and some companies fail to recover at all. Effective technology is a vital defence, but if employers continue to overlook the need for information security management and internal training, then hackers will continue to take advantage of their weakness and the likelihood of a cyber attack will increase.
Ray Woodford is UK Product Manager for ISO 27001 and ISO 22301 at SGS ( www.sgs.co.uk ). SGS offers a range of ISO 27001 audit, certification and training services. For more information, go to www.sgs.co.uk/iso27001 .
SGS is the world’s leading inspection, verification, testing and certification company. SGS is recognised as the global benchmark for quality and integrity. With more than 85,000 employees, SGS operates a network of over 1,800 offices and laboratories around the world.