How to Protect your Business against Human Cyber Vulnerabilities

Small businesses sometimes do not put up safeguards to protect their networks from their own employees.

Cybercrime has been growing rapidly over the past few years, but the pandemic gave it an additional boost. A study found that large data breaches increase by 273% in the first quarter of 2020 alone.[1] Over the course of 2020, email threats rose by 64% and ransomware rose by a staggering 485%.[2,3]

By 2025, cybercrime could be costing the world $10.5 trillion a year, according to Cyber Security Ventures.[4] This would make it (if cybercrime were measured as a country) the world’s third-biggest country after China and the US.

With more people working from home, and businesses reliant on cloud computing, maintaining security has become increasingly difficult. Data is becoming more mobile and businesses are dealing with a growing number of endpoints connecting into their systems.

Businesses of all sizes can be affected, but some of the biggest threats are against small businesses. Data from the Verizon Business 2020 Data Breach Investigations report found that 28% of breaches hit small businesses.[5]

While criminals have focused much of their attention on major corporations, small businesses represent an attractive option for those who might be looking for an easier target.

A lack of technology, resources and the use of third parties can all make small businesses particularly vulnerable, but one of the most serious issues has a very human face to it.

The human factor

According to a report from Stanford University, 88% of breaches occurred because of human error.[6]

For all the technological innovations of both IT departments and cybercriminals everything still often comes down to simple mistakes.

This can include:

Clicking on the infected link: According to Symantec 71% of attacks come through phishing, which attempts to mimic a legitimate sender.[7] These attacks rely on people either clicking a link or handing over sensitive information in order to be successful. This has become more effective in recent years, with emails appearing to be more convincing and plausible. For example, during the pandemic, fraudsters have been sending emails appearing to be from official organizations. These look plausible and appear to contain information a user may need to know.

Using the same passwords across multiple devices and accounts: A quarter of employees use the same passwords for all their accounts.[8] If one can be cracked it exposes accounts across the system. Some employees will also use the same passwords for their personal accounts such as banking and streaming services for work-based applications. This can multiply vulnerabilities many times over. 

Working from home: According to data from Malwarebytes, remote work caused breaches for 20% of organizations.[9] In the work from home environment, employees are more spread out across more devices. The rushed way in which many businesses had to convert to remote working measures created vast gaps in cybersecurity systems. The remote working model is very different and much more complex, which makes security significantly more challenging.

Using their own devices: ‘Bring your own device to work’ has been extremely successful against many businesses, but personal devices are not always as secure as they might be. This needn’t be the case. There are many mechanisms including virtual private networks and other security measures which can secure endpoints. However, these are not always followed. When IT teams cannot be certain which devices are being used, it becomes much more difficult to maintain defenses.

Loss of mobile devices: Whether using their own devices or a work-issued device, lost equipment creates a headache for any business, especially if it contains sensitive information.

Malicious actions: Many businesses fail to delete employee access permissions when they leave the company. This can leave them vulnerable to malicious employees who may hold a grudge against the organization.

Cyber blackmail: Blackmail is a small but growing problem for businesses. Sextortion attacks, in which criminals access problematic information about someone, are rising steadily. For example, the attack on Adult Friend Finder compromised up to 400 million personal details. By comparison, the population of the USA is only around 330 million. The hack exposed people having affairs and led to the break up of marriages, lost jobs, and even a few suicides. It shows how many people potentially have online histories they would work hard to keep secret. If these are compromised, it creates an avenue for extortion and blackmail. For example, an employee might be persuaded to hand over sensitive company information to avoid information getting out about them which will cause embarrassment or significant harm to their professional or personal life.  

Third-party risks: Businesses of all sizes are increasingly working with third parties, including contractors and freelancers. However, these individuals could present a security risk if they are logging into systems without sufficient security precautions.

Failing to install updates: Software companies are constantly updating their technologies to cater to the evolving cyber threat. As one threat emerges, security teams work to develop patches to prevent it. These are regularly issued as updates. If individuals do not download patches as and when they become available, they are leaving themselves increasingly vulnerable to attack. This happened during the pandemic when cybercriminals managed to hack the video conferencing platform Zoom. The company patched the vulnerability, but many people are still running older versions of the software leaving them vulnerable to attack. 

Whether because of one, or a combination of all these problems, human error is a serious issue for companies. All the spending on highly sophisticated security measures can be rendered useless with simple human mistakes.

Take, for example, the moment when an NSA staffer decided to do some work from home. The antivirus software which happened to be run by Kaspersky identified a sensitive file on his computer as suspicious and, as is always the case, downloaded it onto their own system, based in Russia, for closer examination. Unfortunately for that agent, hackers working for the Kremlin had breached Kaspersky’s security and were able to access the file.

The 2017 Wannacry virus, which brought chaos to Britain’s National Health Service (NHS) and other organizations around the world, also relied on human error to get started. The exploit used by the attack, termed Eternal Blue, had been patched by Microsoft months before the attack. Had security teams downloaded and installed the patch, they would have been protected.

How businesses can mitigate these risks

Human error, therefore, should be near the top of any organization’s priority. However, this is not always the case.

The Stanford study mentioned earlier found that companies said they did not have the resources to educate their employees efficiently. In many cases, therefore, this is a vulnerability which many companies are leaving unchecked.

That needn’t be the case, because there is a great deal a business can do to reduce human vulnerabilities. This includes:

Education on cyber threats: Resources may be tight, but some form of education about cyber threats or best practices will help to improve security. If a company has protocols around cybersecurity, these should be taught to people as part of their onboarding process no matter what their seniority level. It is also worth working with people to raise awareness about the latest cybersecurity threats so they are less likely to fall victim to them. For example, if employees are aware of how effective criminals have become at emulating the branding of reputable organizations, they are less likely to trust emails that appear, at first sight, to seem safe.

Regulating password use: Businesses should have clear guidelines in place about the use of passwords. Ideally, employees should not have the same password for different systems, although mandatory rotation of passwords should be avoided.

Ensuring no unsecured endpoints: Endpoint security will become one of the key skills for IT departments in the post Covid-19 world. With more devices connecting into systems, the fewer people connecting from unsecured devices, the safer systems will be. This doesn’t mean people should not connect from their personal devices, but it does mean that the device should have security on it. This could be done via the management of mobile devices, with Virtual Private Networks, remote access management, or other methods.   

Privilege Control: Businesses should have a clear process in place for the control of privileges. This should include prompt removal against access when an employee leaves the company. This will mitigate against risks caused by malicious action from disgruntled employees. While staff members are with the company it is also advisable to ensure they do not have access to more systems than is necessary to do their job. This would limit the company’s exposure should a breach occur.

Conclusion

The cybersecurity landscape is becoming much more complicated. The post-pandemic working environment will be more mobile and flexible than the one which went before, making life difficult for security teams.

While most will focus on making their own systems more secure, the one area many overlook is their own employees. Technology alone cannot solve the problem of human vulnerabilities. It takes vigilance, education, and clear protocols to reduce the chances of a breach.

Even then, it is impossible to legislate completely against human error. As football managers know all too well, even the best plans can be ruined by a moment of madness from a player. That’s why it is important to limit any damage done as much as possible by having clear redundancy measures in place. Mistakes will happen. However, companies can govern how serious the fallout will be if and when they do.   

1. Dangerous data: Why is cyber security important for businesses? (iomart.com)

2. State of email security: The State of Email Security Report | Mimecast

3. Ransomware Reports Rose by 485%: Ransomware reports rose by 485% in 2020, as criminals capitalized on pandemic fears (inews.co.uk)

4. Cybercrime to cost the world $10.5 trillion annually by 2025: Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (cybersecurityventures.com)

5. 28% of data breaches in 2020 involved small businesses: Annual Data Breach Investigations Report | Verizon

6. Human error is still the number one cause of data breaches: Human Error is Still the Number One Cause of Most Data Breaches in 2021 - Influencive

7. Why employees are your biggest cyber security risk: Why employees are your biggest cyber security risk (openaccessgovernment.org)

8. 25% of employees use the same password: 25% of employees use the same password for every account - TechRepublic

9. Work from Home Causes Surge in Cyber Security Issues: Working from home causes surge in security breaches, staff 'oblivious' to best practices | ZDNet