Companies today are not only exposed to technical risks, mistakes made by their own employees or partners can also endanger sensitive or confidential data and lead to major damages. However, the human risk factor is often underestimated and neglected from a security perspective.
We have already covered the most important current security threats for companies in two previous posts on the NCP blog. The first part of our series dealt with the changed security situation in 2022. In the second part, we learned more about the increasing importance of “IT security Made in Germany”. In this post, we will look at another aspect of IT security that companies need to be aware of: the human risk factor.
The “Cybersecurity in figures” report from the German security provider G Data provides a detailed breakdown of the most common threats to sensitive or confidential data (see chart). The figures show that the human risk factor continues to have major consequences for the security of company data. According to the findings of the survey, 54 percent of the threats are attributable to “errors by employees”, 23 percent are to “part-time or temporary workers” and 20 percent are even to “malicious insiders”.
Where risks from external attackers and social engineering occur.
Technical risks due to vulnerabilities or unpatched systems are not the only things that endanger companies. Many cyber attacks occur – intentionally or unintentionally – via employees in the companies themselves or via business partners who are allowed to access business applications and business data.
American telecommunications group Verizon found in its “Data Breach Investigations Report 2022” that the human risk factor plays a role in around 82 percent of data thefts in companies. The report focuses on external attackers, saying 89 percent of them had financial motives, while the remaining eleven percent were spying on trade secrets. Credentials were stolen in 63 percent of cases, confidential information in 32 percent, and personal data in 24 percent.
Attack trajectories used by the hackers are particularly interesting. About two-thirds of the intrusions involved phishing, followed by stolen credentials, fraudulent pretexts, backdoors, network scans, downloaders, and ransomware. Let's stick to phishing first, maybe you’re wondering why the trick works so well when Verizon says only 2.9 percent of employees click on links in phishing emails? With the masses of fraud e-mails out there, this is more than enough for numerous data thefts.
BEC attacks: Using the boss’s name
Business E-Mail Compromise or BEC is one of the pretexts used by attackers to get their boot in the door. Unlike most phishing and spam attacks, BEC attacks are usually targeted. Here, an employee is persuaded to initiate a transfer or send important information on behalf of a manager such as the managing director or the head of the finance department. These attacks are very elaborate and usually require the attackers to be able to gain access to one or more e-mail accounts from which they can then send their fake e-mails. They also need to find out who is responsible for which activities, what the usual procedures are and when it is a good time for an attack.
Even if that means a lot of work, it is obviously worthwhile. According to the FBI, more than 166,000 BEC attacks took place worldwide between June 2016 and July 2019. The damages caused amounted to more than 26 billion US dollars. For these attacks, there is an important point that shouldn’t be overlooked: BEC attacks cannot be prevented with technical solutions alone. Instead, they require rethinking in the company and training employees.
Measures to mitigate BEC attacks
Proofpoint has compiled some BEC tips to help employees protect themselves from BEC attacks. We have briefly summarized them for you and added further helpful tips:
- Be skeptical. Clarify any instructions via another channel (for example by phone), forward dubious emails to IT support, and check with colleagues before sending large amounts of money to a questionable company.
- Rely on your instincts and review the content of suspicious emails. Is the tone of the message unusual? Are there any suspicious spelling mistakes? Do your colleagues usually behave like that? Why is there no regular invoice attached?
- Stay diligent, especially during stressful times of the day. Observe the usual warnings and internal company guidelines even in urgent cases. Make no exceptions.
Cost of security incidents caused by negligent insiders
The renowned Ponemon Institute has been dealing with risks from insiders for years. In the current “Report on Global Costs of Insider Threats 2022”, market researchers write that most insider incidents were “caused by careless or negligent employees”.
The resulting costs are far from negligible. According to the Ponemon Institute, the average annual recovery cost for negligently caused insider incidents is $6.6 million. The average total annual cost is as high as $15.4 million. This already includes the damages caused by insiders with criminal motives ($4.1 million) and the cost of credential theft ($4.6 million).
But it gets even scarier than that. On average, it took 85 days for an incident to be contained. Only twelve percent of insider incidents could be resolved within 30 days. Over a third of cases took more than 90 days to resolve.
The authors cite the inadequate protection of devices, the disregard of operational security policies and the lack of patches and upgrades as the most important reasons for negligent actions. Malicious insiders would also be more difficult to detect than external attackers or hackers, as many employees “are increasingly granted access rights for productivity reasons in today’s mobile workplace”. Companies need to rethink that.
Let’s sum up:
The potential human risk factor shows that traditional data security approaches are no longer sufficient. Companies should think about modern concepts such as Zero Trust, Least Privilege or ZTNA to better protect their applications, data, devices, and networks from internal and external attackers. In addition, managed VPN clients including personal firewalls help to protect data. IT managers should organize regular security awareness training for their employees to educate them about current cyber threats.
Learn more about VPN Client Suite with central management