The internal cyber threat: employees

Cyber attacks are on the rise, but some organizations neglect the main source of many data breaches — their employees. How can businesses mitigate the insider cyber risk?

A big Trojan horse with circuit boards over its body surrounded by data

The Trojan horse

Employees are, unwittingly or not, one of the weakest links in an organization’s cybersecurity architecture and are often the source of data breaches. EY’s Global Information Security Survey 2015 discovered 44% of executives consider employees the greatest cybersecurity vulnerability in their organization. Furthermore, 56% of organizations consider employees the most likely source of a cyber attack — an increase of 12% from 2014. 

In most cases, employees compromise security unintentionally, often in the name of convenience — for instance by using file sharing services or emailing sensitive information. However, for those employees with criminal intent, financial gain was the motive behind 34% of data breaches in 2015.

Education is prevention

For those employees without criminal intent, organizations can use education programs to reduce the risk of data breaches. Even cybersecurity basics, such as the need for strong passwords and regular changes, are absolutely necessary — 63% of data breaches involve default, weak or stolen passwords.

However, education is only one step in decreasing the cyber risk posed by employees. Organizations also need to incentivize employees to prioritize cybersecurity.

Cybersecurity KPI

Organizations still primarily rely on traditional methods such as computer-based education, emails, posters and agreements to increase cybersecurity awareness. Those messages, however, are often neglected by employees. Only a few organizations assess their employees’ adherence to data protection requirements through performance evaluation processes. 

By making cybersecurity a KPI, organizations send a clear signal that data protection is an imperative and give employees a vested interest in protecting data.

Identity and access management

A strong identity and access management (IAM) strategy reduces this cyber risk by limiting employees’ access to sensitive data. IAM involves managing users’ online identities and the authentication, authorization and privileges across IT and business systems. 

Because 53% of cyber incidents involving insiders result from the abuse of user access rights, organizations must continually ensure their employees’ access level matches the needs of their current job roles.

Mobile threat

IAM strategies must also address the growing trend of employees using mobile devices, especially their personal ones, to access sensitive company data. Sixty-one percent use their mobile devices for both personal and work-related tasks, while the great majority receive no training over safely using these devices. With an estimated 50 billion internet-connected devices by 2020, this risk will only increase unless drastic action is taken by organizations.

Privacy and security

A growing number of organizations monitor their employees’ use of data to enhance cybersecurity, but they must balance this with privacy protection. Only 42% of organizations currently have formalized requirements for monitoring employees while balancing privacy obligations. Many business executives consider protecting propriety information more important than protecting employee privacy. 

While there is an imperative to increase data security, employees should be extended the right to privacy — as should customers. With cyber criminals also using cyber blackmail to secure digital access to organizations, protecting employee privacy also helps protect the business. 

Greater protection against cyber threats should not be seen as a zero-sum game between security and privacy. Employees’ privacy is an important asset that also merits protection.

Discover more