Mistakes Can Be More Damaging Than Sabotage
Insider risk doesn’t just consist of employees taking malicious actions against the company. The actions that employees take every day have an enormous impact on the security of a company’s IT environment. Employee mistakes like mishandling data or getting conned by a phishing email can accidentally open your business up to trouble like ransomware, business email compromise and other cyberattacks. Non-malicious or accidental insider risk also has to be a part of every company’s risk calculus.
Adapted in part from our NEW eBook Guide to Reducing Insider Risk, available now! DOWNLOAD IT>>
Can you spot a phishing email? This infographic shows you how to detect one! DOWNLOAD IT>>
Any Employee Can Pose a Threat
These definitions can help clarify insider risk
An insider is someone within an organization. An insider risk comes from the actions that employees take around cybersecurity that impact company systems and data.
Employees who intend to deliberately harm a business. Malicious insiders cause massive damage quickly by taking harmful security actions like stealing company secrets, selling access to a company’s network or deploying ransomware.
Average employees who don’t take action to cause harm intentionally. Instead, these employees harm security through negligence or error. Unfortunately, errors can be just as devastating to your company as intentional sabotage.
How Do Non-Malicious Employee Actions Generate Risk?
Employees don’t have to mean any harm to the company do something that damages their employer. Accidents, missteps, errors – all of these things generate insider risk.
- More than 2 out of 3 insider threat incidents are caused by negligence
- Negligent employees create over 60% of security incidents
- Over 65% of accidental insider threats come from phishing attacks
After all, we’re all human and as long as human beings are doing the work at a company, they’ll make mistakes. But while some accidental insider risk has to be chalked up to the cost of doing business, other factors can be controlled – and smart businesses are making that a priority.
Is someone’s behavior suspicious? Learn to spot trouble fast with 5 Red Flags That Point to a Malicious Insider at Work. DOWNLOAD IT>>
How to Spot a Non-Malicious Insider Threat
These employee behaviors raise a company’s chances of having an accidental damaging cybersecurity incident.
- Sharing passwords, especially privileged passwords
- Reusing, recycling, never changing or writing down passwords
- Careless data handling like sending sensitive data to the wrong recipient
- Fear of asking for help or clarification around possible threats like phishing
- Threats of termination if an employee makes a mistake
- Lack of support in enforcing security protocols
- Ignorance of common threats due to lack of security awareness
- Too little training in proper security protocols
- Time pressures that up the chance for a mistake
- No security culture within an organization
4 Major Drivers of Accidental Insider Threats
Falling for Phishing
Clicking on a phishing email is the most likely way that an employee will cause a security breach. In a Stanford University study, researchers determined:
- One in four employees (25%) said they have clicked on a phishing email at work
- Nearly 45% of respondents cited distraction as the top reason for falling for a phishing scam
- Around 50% of employees are sure that they have made an error that led to a security incident
Passwords are one of the most difficult assets for a business to keep secure unless they take the right precautions. Employee password attitudes and behaviors are a portal to insider risk.
- Credentials were the top type of information stolen in data breaches worldwide in 2020
- More than 60% of employees use the same password across multiple work and home applications
- Over 90% of participants in a password habits survey understood the risk of password reuse but that didn’t stop them because 59% admitted to doing it anyway.
A Toxic Culture
No company benefits when employees are afraid of the consequences of reporting a blunder or don’t even have the security expertise to know they’ve made one.
- Just under 30% of employees fail to report cybersecurity mistakes out of fear.
- More than 40% of employees don’t report potential phishing out of fear of getting in trouble
- About 45% of employees click emails they consider to be suspicious “just in case it’s important.”
The top cause of a cybersecurity incident isn’t malicious actions or hacking. It’s an employee error. Human error is responsible for an estimated 90% of security breaches according to IBMs X-Force Threat Intelligence Index. These errors are the most common blunders that employees make.
- Opening a phishing email
- Downloading a dodgy attachment
- Sending someone the wrong file
- Giving another employee their login credentials
- Writing down a password
- Falling for a scam
- Clicking a malicious link
- Visiting a dangerous website
Factors That Increase The Probability of Employee Error
There’s always a chance that an employee will make an error. After all, they’re only human. But some circumstances within a business make employees more likely to make an error than others.
Employees are more likely to make an error if:
- They don’t know what threats look like
- They’re experiencing undue stress, distraction or time constraints
- They don’t feel confident judging a threat
- They’re afraid of technology
- They don’t know who to ask for help
- They fear job loss or demotion
- They don’t know how to report a problem
- They have little to no security awareness training
- They don’t have the right tools to stop an incident
The Computer Security To-Do List helps companies build a strong security culture. DOWNLOAD IT NOW>>
Get the Right Tools to Mitigate Accidental Insider Risk
Insider risk is up by more than 40% in 2021, and it’s not expected to go down in 2022. But with the right solutions in place, companies can mitigate a substantial portion of their accidental insider risk. These two ID Agent solutions are perfect for the job.
Dark Web ID – Don’t let cybercriminals sneak into your network to snatch your data with a compromised credential. Get the power of 24/7/365 human and machine-powered on your side monitoring employee passwords, business and personal credentials, domains, IP addresses and email addresses.
BullPhish ID – Organizations that regularly conduct security awareness training have up to 70% fewer cybersecurity incidents. Educate staffers on how to spot and stop the latest threats including phishing, ransomware, compliance, password safety and more using done-for-you kits or customized lessons.
Ready to get started? Contact one of our solutions experts and book a demo today.
See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>
See Graphus in action in an on-demand video demo WATCH NOW>>
Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!