About our Cyber Security Series of articles
Our Security teams have identified common challenges organisations face when dealing with Cyber Security threats and this series of articles aims to help readers identify and address these risks. The most common and often overlooked aspect of cyber security, are people and the risks they pose across the organisation.
Whether knowingly or unknowingly, human beings are often the most common cause of IT security breaches and even if a business has robust, multi layered IT security technology solutions in place human action can make these redundant and expose an organisation to real risk.
In this first series of articles, we look at key user types or roles inside an organisation as well as typical profiles that pose risks from outside an organisation.
Ignore them at your peril – they’re often the cyber criminal’s easiest way through your technological defences.
#1 – New Users / New Employees
Individuals new to the organisation, moving to a new department, or simply new to a system or process, typically operate initially without the benefit of experience.
Over 75% of large organisations suffered staff-related security breaches in 2016, and half of the worst of these were caused by human error based on a lack of user awareness or knowledge – check out our guide on phish insight.
New Users may not be aware of best practice, what the right process should be and system weaknesses that must be avoided. Often this knowledge sits within existing staff and is not part of formal induction or onboarding training. As a result, they may unwittingly take unnecessary risks and open the door for malicious attackers.
Even those new users who have been well trained in the security requirements of their position may be at greater risk of making mistakes than more experienced individuals who ‘know the ropes’.
Focused on learning and excelling in their new role, new users often overlook key security issues or don’t have the experience to spot unusual activity. They may access inappropriate data, services and other resources, or open risky emails or attachments. Spear phishing attacks will often target new users in order to capitalise on their lack of experience. In the case of ‘whaling’ attacks, targeting new senior executives with access to highly valuable or sensitive information, the damage can be significant or even disastrous. More generally, new users may also be vulnerable to ‘water holing’ attacks, in which specific web destinations which they are known to frequent are compromised.
New users at all levels in the organisation are at particular risk of malware attacks, including ransomware. With 98% delivered by email, layered protection to secure emails and scanning of email attachment downloads is vital. New users, not fully aware of security best practice and protocols, may also be more likely than others to engage in risky behaviours such as transferring sensitive data to portable storage devices or forwarding emails to their private email accounts. Working from home or over public wifi may expose them to further risks.
How to address the challenge
Providing IT security onboarding for all employees can narrow the IT security knowledge gap between entry-level and higher-level employees and help ensure organisations as a whole are more aware and prepared for security issues.
Companies tend to offer IT security onboarding programs to more senior employees only, which may account for a greater awareness and feeling of preparedness this group has regarding IT security threats.
Education is the biggest difference in addressing the risks associated with New Users. Here are 5 considerations when building out your training plan for IT security;
- Ensure Cyber Security is seen as everyone’s responsibility
- Explain what the potential impacts of an IT system or data breach in easy to understand ‘layman’s’ terms
- Provide best practice guidance on effective password management
- Clearly, describe the process for dealing with a breach or attack and test staff readiness
- Regular training and best practice cyber security workshops are a must
- Tailor your training to fit your organisation and it’s particular systems and processes.
Technology and a good process can assist
There are hundreds of security solutions and best practice security frameworks organisations can use to develop a robust security posture and help mitigate many of the risks posed by human beings inside as well as outside the organisation.
If you would like to discuss the options your organisation has when developing your security strategy our Cyber & Data security experts are on hand to answer questions and help you identify potential ways to address the risks posed. Book a ‘no obligations’ call with one of our team here
The Complete Guide
New users are just one of the user types we discuss in our complete ‘Human Factor’ guide. Find out who else in your organisation may pose a risk by downloading our full guide here.