The Human Factor: Tackling Insider Threats in Cybersecurity
January 16, 2023
Organizations are continuing to experience a steady and aggressive influx of cyberattacks. According to the 2022 CIRA Cybersecurity Survey, 44% of Canadian organizations have experienced either an attempted or successful cyberattack in the last 12 months. 22% have been the victim of a successful ransomware attack. In response, many companies have ramped up their cybersecurity efforts and made changes to how data is handled, from formal data retention policies to new technologies and service partners.
But cybersecurity is about more than protecting against hackers and malware; it’s also about protecting against the risks from within. Human behaviour and insider actions are among the greatest threats to privacy and can be just as damaging and costly as external ones, be it compromised credentials, accidental disclosure, or even a snooping employee. After all, your defence measures are only as good as the people who use them and even the most advanced cybersecurity tools in the world won’t make up for poorly trained staff.
Unfortunately there’s no quick fix for insider threats; you can’t reboot your workforce the same way you can your systems. You’ll need to understand why people make mistakes—or why they go rogue—and why technology isn’t enough to curb it. Keep reading to learn more.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
What are the risks?
When it comes to insider threats, some of the biggest risk factors include:
1. Lack of Awareness
Keep in mind: you don’t know what you don’t know and not everyone has been trained on good security practices. New hires are particularly at risk of mishaps, especially if organizations aren’t onboarding sufficiently or providing regular privacy updates. Someone that’s new to your discipline or field may be unaware of sector-specific requirements on how to handle, store, or dispose of sensitive data. Or maybe they don’t know the key industry players well enough to be able to spot phishing emails or signs of suspicious activity.
But experience doesn’t guarantee awareness; even long-standing, tenured industry professionals with a basic understanding of cybersecurity might be behind on the latest protocols. And the pandemic may have made matters worse. 69% of Canadian organizations required remote work due to COVID-19. With companies rapidly adopting new technologies and going digital overnight, there are probably gaps in everyone’s security knowledge.
Common mistakes include:
Poor Password Hygiene
19% of privacy breaches are caused by stolen or compromised credentials, the most common attack vector in the 2022 IBM Security Cost of a Data Breach Report. Why? “123456,” “qwerty,” and “password” continue to top lists as the most commonly used logins worldwide. Additionally, many employees still share or recycle passwords or use default logins, leaving the door wide open to cybercriminals who can use a single set of logins to unlock accounts across multiple platforms.
Using Unsecured Connections
Since the start of the pandemic, many employees have taken advantage of work-from-home arrangements to either escape their homes during the workday or travel and work on-the-go. But using unencrypted connections, like hotel or public Wi-Fi, allows hackers to sneakily distribute malware, infiltrate accounts, or intercept confidential data.
Clicking on a Phishing Email
Phishing scams have gotten extremely sophisticated; it’s become standard practice for hackers to impersonate high-ranking executives from the victim’s company (like the President or CEO) and demand immediate action (like confirming financial details or payroll information). In Tessian’s 2022 Psychology of Human Error Report, 54% of employees admitted to falling for phishing scams in the last 12 months because the email looked legitimate. 52% said it was because the email looked as if it had come from a senior executive.
If employees aren’t aware, they could easily click on an unknown link or infected attachment and unleash malware onto the entire network. That’s how the infamous 2016 Casino Rama breach happened; a hacker impersonated a manager and sent a link to a holiday work schedule to 11 employees.
Whether it’s due to auto-complete, a spelling mistake, or accidentally hitting “reply all,” misdirected emails are more than just embarrassing—they can give hackers an easy entry point to your organization. Plus if your email contains confidential client or third-party data, you’ll have to tell them about the breach, which could tarnish your reputation, damage the relationship, and even end your contract.
The same report from Tessian also found that 40% of respondents sent work emails to the wrong person, with 15% admitting to sending an email with the wrong attachment to an external party. 29% said they lost a client as a result.
2. The Pace of Work
In most cases, employees know the right course of action, but err anyway. Either they weren’t careful enough or they simply made a mistake. Or perhaps they were lax on security. Workplace environments are a big contributor here. In healthcare settings, for example, even the best of clinicians might accidentally misenter information or skip a step in situations where saving even a few minutes can make all the difference,
Businesses with a more fast-paced or entrepreneurial culture are also more prone to human error. While this environment can be conducive to sales, moving too quickly can lead to some easily preventable security mistakes. If employees are expected to respond to emails immediately, people who fear missing an important message, falling behind, or being seen as slow might be more inclined to open messages they shouldn’t.
Alternatively, if people are under pressure to hit quotas and move fast, firewalls, spam filters, and having multiple passwords and usernames—and having to remember them all—might seem like a hindrance that takes away from work time. Without training, employees and subcontractors may also underestimate just how much impact careless behaviours have on your firm’s overall security posture. As a result, they might opt for the past of least resistance and cut corners to maintain efficiencies or close a deal that much sooner. That includes using a personal email to send private information, improperly accessing data in the cloud, ignoring software updates, and saving confidential data of the VPN.
Employees aren’t just too busy for cybersecurity—they’re too tired. With a constant cycle of turnover and layoffs, understaffed businesses are struggling to keep up with client demands. Remaining employees might be too backlogged to maintain security protocols, while others may be thrust into new roles, responsibilities, or departments, often without sufficient coaching on data protection and storage.
Over time, a focus on high pace and high productivity could lead to burnout. And employees that are more stressed or exhausted tend to be more distracted and less aware of their surroundings. Specifically, they might be more likely to ignore unusual site activity or divulge their login credentials, which could raise the number of mistakes, accidents, and privacy breaches. In Tessian’s report, 36% of employees admitted to making a mistake at work that compromised security in the last 12 months. 51% of employees said they made mistakes when tired, and 50% said they did so when distracted.
Unfortunately, threat actors are constantly evolving their tactics and work to exploit people’s emotions and behaviour. Another 2021 report from Tessian determined that most phishing attacks occurred during the afternoon slump between 2PM and 6PM, when employees tend to be more tired or distracted. And let’s not forget the beginning of the pandemic; cybercriminals were preying on vulnerable users through COVID-19 themed lures about financial relief, vaccines, or public health updates.
4. Remote Work
While working from home has numerous benefits for productivity and employees’ overall well-being, studies show a strong correlation between remote work and breach expenses. IBM Security’s 2022 Cost of a Data Breach Report found that breach expenses were highest for organizations with 81-100% of their employees working remotely, costing $5.10 million USD on average. Additionally, expenses were nearly 1 million USD more in instances where remote work was a factor in causing the data breach.
Why? The sheer volume of cyberattacks increased tremendously during the pandemic. And time and distance away from the office and the watchful eye of IT support might have weakened employees’ general sense of cyber vigilance. As a result, they might be more inclined to use devices with insecure passwords, ignore IT policies, or visit sites that would normally be prohibited at work.
Remote and hybrid working environments may also impact focus; according to CIRA’s 2022 Internet Factbook Survey, most people tend to multitask during meetings when working remotely, with 47% of people engaging in direct messaging and 39% working on other tasks. And with people generally working longer hours than they should, not only is there more time to make mistakes, there’s also a higher risk of cognitive overload, leading to more errors or missed warning signs.
5. Physical Risks
In addition to cyberspace, there are also numerous physical threats that could put you at risk. On any given day, you or one of your employees could:
- Misplace or lose a file or device, like a document, laptop, phone, tablet, or a even non-encrypted USB;
- Leave your device unlocked and unattached;
- Leave sensitive documents unattended on a desk, in a meeting room, or at home;
- Improperly dispose of records (i.e. tossing client files in recycling bin instead of shredding them);
- Have a slip of tongue and accidentally disclose something you shouldn’t; or
- Discuss confidential client data in public.
While the examples above seem innocent enough, if someone manages to get a hold of confidential data, you could still be liable for a breach.
6. Unauthorized Access
Insider threats aren’t just about human error and making mistakes; they also include people within your organization who intentionally access confidential records or steal files. But whether they’re motivated by curiosity, fun, or financial gain, employee snooping can have major consequences for your business.
Under PIPEDA, Canada’s federal privacy law, a privacy breach refers to the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from breach of an organization’s security safeguards or from a failure to establish those safeguards. Keep in mind: that definition doesn’t specify WHO is accessing data. That means anyone who views confidential personal data without permission, be it a hacker or a nosey employee, would constitute a breach under PIPEDA.
Here’s an example: in February 2022, Alberta’s Privacy Commissioner ruled that there was a real risk of significant harm after four employees accessed the account information of 78 other staff and credit union members without an authorized purpose. The breaches were discovered by the organization during a routine audit and while they weren’t found negligent, they still had to notify all affected individuals and provide them with 24 months of complimentary credit monitoring.
And that’s just one example. There are numerous instances of unauthorized employee access, so much so that Ontario’s Personal Health Information Protection Act (PHIPA) has even proposed a mandatory electronic audit log for all healthcare facilities to keep track of and protect patients’ private data. Every time a record containing patient data is viewed, handled, or modified, the log must be updated with: the type of information accessed, the patient it belongs to, who it was accessed by, and when, including date and time.
What’s the impact?
In this day and age, security isn’t enough. Despite the growing sophistication of detection and response protocols, it only takes one person—one password, one click, one employee—to have a cascading effect across an entire network. Plus the stronger your defences become, the likelier it is that cybercriminals will target the human element. That means your most vulnerable point is always going to be your people.
Unfortunately, regulatory bodies and clients won’t be too forgiving in the event of a breach, even if it was an accident. It doesn’t matter how understaffed you are or whose fault it was, your organization is still responsible for all gaps in protection or breakdowns in safeguards. If you’re found negligent under PIPEDA or any other applicable provincial legislation, you could be liable for up to $100,000 in fines.
And you won’t be able to point the finger at your staff either. As an employer, it’s also your responsibility to provide employees with the tools they need to perform their jobs to the highest possible standard and that includes security awareness. If you fail to do so, the blame—and the liability for any resulting damages—lies with you.
Unless you put in controls to account for the human element, you’re at risk of serious legal, financial, and reputational harm. Plus, without basic cybersecurity controls, you might not qualify for Cyber Insurance to cover your losses, leaving you liable for potentially hundreds of thousands in remediation costs out-of-pocket.
How can you protect yourself?
Cybersecurity isn’t just a technology problem; it’s a people problem, one that requires people-focused solutions. Users will keep making mistakes if they don’t know what the risks are or how to spot them and while adding protections is a step in the right direction, security efforts will fail without continuous end-user education and communication to reinforce good behaviours.
To combat insider threats and mitigate breach fallout, work towards a culture of cyber vigilance. Survey your employees to determine their current knowledge levels and provide tailored security awareness training on a regular basis to fill the gaps. At minimum, training should cover how to handle sensitive data, use software, and identify, avoid, and report potential harmful situations. Keep employees aware of threats as they emerge and if needed, partner with a specialized firm to offer high-quality courses, automated phishing simulations, and random tests. Measure your efforts and update your program accordingly.
We know, it’s an extra cost—and it might seem like you’re biting off more than you can chew. But think of awareness training as a business investment. Users are the first line of defence and arming them with the right tools and knowledge will put your company in the best position possible to ward off attack. And although you won’t be able to eliminate mistakes altogether, you can ensure they’re detected and addressed before they have a chance to destroy your business.
How can we help you?
A comprehensive awareness program can help you keep security top-of-mind and build a cyber-aware workforce that makes informed decisions about their digital hygiene. But be sure to supplement your program with a solid incident response plan and a comprehensive Cyber Insurance policy so people can take action immediately once threats are identified.
For more guidance on cyber risk management, connect with PROLINK. With over 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We can share what steps others in your industry are taking and help you become resilient in the face of attack.
Our dedicated team of risk advisors will help you:
- Identify exposures based on your business operations and unique needs;
- Adopt a proactive approach to risk management to control your costs long-term;
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Secure a specialized solution that aligns with your strategic objectives.
To learn about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today for more guidance!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.