Humans: Still the Weakest Link In the Enterprise Information Security Posture

By Rachel Holdgrafer, Business Content Strategist, Code42

When it comes to protecting enterprise data, it’s more about understanding processes, procedures and the humans using the system, and less about defending the physical hardware. Seventy-eight percent of respondents to the Ponemon 2015 State of the Endpoint Report: User-Centric Risk indicate that the biggest threat to endpoint security is negligent or careless employees who don’t follow security policies. The Skyhigh Report finds that 89.6% of organizations experience at least one insider threat each month while the average organization experiences 9.3 insider threats each month. Humans are the weakest link in information security—for a number of reasons.

According to McAfee, internal actors are responsible for 43% of enterprise data loss. In half the cases, data loss is accidental, while the other half is intentional. In 2013 alone, U.S. companies and organizations suffered $40 billion in losses from unauthorized use of computers by employees, including “…approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent.” Whether accidental or deliberate, data loss at the hands of employees is a real and present danger.

Accidental data breach or loss

Well-meaning employees threaten data security every day, often without realizing it. They open suspicious email attachments, fall for social engineering ploys, carelessly manage network passwords or use shadow IT applications that give hackers a way into the network. Regardless of how data loss or breach happens, insider threat poses a significant risk to organizations.

• Shadow IT applications. In an effort to get their jobs done, employees may install unsanctioned software on their devices, and in doing so, expose their employer to hackers and malware via vulnerabilities in the software.
• Sync and share technology. Sync and share applications are powerful collaboration tools for increasing employee productivity, especially for distributed and remote teams. Unfortunately, sharing data has a down side; 28% of employees have uploaded a file containing sensitive data to the cloud. A team member might inadvertently delete a shared document or corrupt the only version of a key file, rendering the data useless. Sensitive data, such as social security or customer payment information, could be shared with internal employees or with external users, putting the data at risk and the company out of compliance.
• Social engineering. From urgent emails that appear to come from C-suite executives requesting large wire transfers to “friendly” phone calls from hackers posing as corporate IT staff, social engineering is on the rise at organizations of all sizes.
• Poor password security. What appears to be innocuous password sharing can result in significant data loss. Employees good-naturedly share passwords with coworkers or post their network passwords at their workstations, unintentionally allowing others to access the system using their credentials.

Intentional data sabotage

In a perfect world, employees would always work in the best interest of their employers. Unfortunately, this is not always the case. As a result, organizations must monitor individuals on the payroll to spot incidents of intentional data sabotage.

• Dealing with disgruntled employees. Malicious cyber-sabotage conducted by disgruntled employees is on the rise. Whether passed over for a promotion, terminated for cause or as a part of a reduction in force, unhappy employees pose a risk to data security. Disgruntled employees may delete important files or emails, lock administrators out of admin accounts by changing passwords or take sensitive data with them when they leave. NakedSecurity by Sophos reports that:

The FBI has found that terminated employees installed unauthorized RDP (remote desktop protocol) software before they exited their companies, thereby ensuring that they could retain access to the businesses’ networks to carry out their crimes.

• Malware introduction and planting logic bombs. Employees on their way out the door may purposely infect the employer’s network with malware or plant logic bombs that “go off” in the future, wiping out data when the employee is long gone.
• Selling corporate data for fun and profit. It’s troubling, but true; current employees may extract and sell sensitive corporate data to the highest bidder on the black market. They may also sell customer account lists, product plans or other intellectual property to their employer’s competitors for financial gain. Some enjoy the challenge of accessing the data, some need the cash and others, like arsonists, enjoy watching the company burn.

Conclusion

Humans continue to be the weakest link in information security. Whether deliberate or accidental, the actions of employees can quickly destroy a company. Organizations must keep this in mind when creating information security policies and while implementing safeguards.

Learn more about the impacts of insider threat. Download the executive brief, Protecting data in the age of employee churn.