Cyber security risks: understanding why employees are insider threats

Human error is the number one cause of data breaches. This means that employees pose a major cyber security risk to businesses.

In this article, we:

  • Explore the different ways employees can be a cyber security risk
  • Explain the key reasons why businesses suffer a user-related data breach
  • Outline how employee cyber security education can help mitigate against this.

What are the different types of insider threats within your business?

According to Verizon’s Data Breach Investigation Report (DBIR), over 86% of data breaches involve the ‘human element’. A common misconception here is that all user-related data breaches are caused by simple negligence – e.g. clicking on a phishing email. The fact is, although negligence plays a huge role in most user-related data breaches, a big portion of these breaches are caused by additional factors.

According to Verizon’s report, these are the three main types of insider threats:

Negligent users – make up 61%
The biggest group of insider threats are people who don’t think before they act – negligent uses. They might send the wrong email, attach the wrong file or click on a malicious phishing link.

Negligent users, with credentials exposed on the dark web – make up 25%
These users are less common but more at risk than negligent users. This is because their credentials (usernames, passwords) have been exposed on the dark web. Attackers often use these credentials to launch targeted attacks that look more legitimate than traditional mass-email phishing attacks.

Malicious users – make up 14%
While infrequent, where are times where an employee may exhibit malicious intent towards the business. Such instances often involve a disgruntled current or former employee downloading sensitive company information, which is then used for illicit purposes such as selling it to a competitor or leveraging it in a new job or business venture.

Why are employees such an insider threat?

Employees make mistakes

It is inevitable that every employee will make mistakes from time to time, whether it be misdirecting an email or attaching the wrong file. The reality is that 43% of employees admit to having made a mistake at work that has potentially compromised cyber security. The issue is that these types of seemingly minor mistakes can result in sensitive data being accessed by cyber criminals or made public on the dark web, which can then be used in a targeted attack.

Employees are lucrative targets

It is worth noting that a surprising amount of information about your business can be found online, including details about your suppliers, contractors, and customers. This makes it simple for malicious actors to impersonate both internal and external contacts. Even a single successful impersonation can put your entire business at risk.

The most common method used by attackers to target employees is phishing. Over the past few years, these types of attacks have evolved. They have become less reliant on tricking users through generic ‘send-to-all’ email scams and instead have focused more on ‘spear phishing attacks’. This involves using prior research to target and deceive a specific individual.

For example, an employee – or group of employees – may receive an email which appears to be from the Managing Director, asking for an immediate payment to be made to a known supplier. Individuals who are not sufficiently educated on cyber-crime may not be aware of checks that should be made to confirm legitimacy of the email.

Employees break the rules

People in any business are capable of breaking the rules, be it maliciously or accidentally. However, a significant number of rule violations extend beyond non-compliance with password policies. In some cases, employees may engage in the theft of corporate data and subsequent sale on the dark web.

Most cases, however, are less malicious and mainly revolve around staff looking to cut corners – like sharing their password with a colleague so that there isn’t the need to create a separate account for a service.

Transform employees into a cyber security asset

Many businesses undertake annual or quarterly security awareness initiatives, such as annual workshops or training courses, to address their human cybersecurity challenge. However, sessions are often too infrequent and unengaging for employees to learn and apply new information to their daily work. Regular, short and engaging training is needed for employees to learn and remember information about the latest threats and best practices.

Build a security-savvy workforce through Human Risk Management (HRM)

Human Risk Management (HRM) is the modern approach to building a security-savvy workforce without affecting their productivity.

Our HRM service helps you understand and reduce human cyber risk over time through regular training, phishing simulations, dark web monitoring and simplified policy processes.

As part of Cyber Awareness Month, you can get a free Human Risk Report (HRR) to calculate your human cyber risk. It’s a straightforward process. With a few simple steps we calculate the human risk score of your business, then provide you with a clear action plan focussed on strengthening at-risk areas.

Contact us today to claim your free Human Risk Report (HRR) and we’ll start analysing your business for vulnerabilities.

Get your free Human Risk Report today.

Understand and strengthen your business’s security posture against human error and user-targeted attacks through ongoing Human Risk Management (HRM).

Request your Human Risk Report here.

Image of a computer screen showing an online training course that is explaining how to spot a phishing email.

Explore our Human Risk Management service
Transform employees into your first line of defence. Calculate, reduce and monitor human cyber risk with the new-class of user-focused security.