First line of defense: Empowering employees to make security conscious decisions

By Anthony Rapa, Assistant Vice President, Claims Advocate, FINEX Global Willis Towers Watson

Published: 14 October 2016

Recent studies suggest that approximately 60% of data security incidents are non-hacking-related. Phishing (broadly defined in the business context as sending fraudulent emails to unsuspecting employees to gain network access and/or obtain confidential, sensitive information or money) remains an effective attack. Symantec’s most recent Internet Security Report notes that over half of inbound business email last year was spam. Even more disturbing is that the 2016 edition of Verizon’s Data Breach Investigations Report (DBIR) notes that 30% of phishing emails in the data group were viewed by employees, and that 12% of employees opened the malware-containing attachment. Both numbers actually represent an increase over the previous year’s data, suggesting that, despite knowledge of the danger, companies may not be placing adequate emphasis and focus on employee cybersecurity awareness.

Additionally, Willis Towers Watson’s Claims and Legal Group (CLG) has observed an appreciable uptick in claims involving impersonation fraud, where an employee is tricked via email to transferring money or divulging sensitive information to someone posing as a high-ranking company official. This new twist on phishing has resulted in multi-million dollar losses to sophisticated firms. An April 2016 FBI Alert indicated that incidents of so-called “CEO spoofing” were up 270% since January 2015.

Lost laptops, phones, and physical files continue to serve as a major source of data security incidents. The 2015 Net Diligence Cyber Claims Study found approximately 10% of claims submitted to cyber insurance carriers were the result of lost or stolen devices. Along similar lines, Verizon noted in the DBIR that employees are 100 times more likely to lose a device than to have it stolen. The DBIR also noted that theft was most likely to occur in the victim’s own work area (39%) or from the employee’s personal vehicle (33.9%).

Human error also continues to account for a large percentage of security incidents. For example, Verizon notes that weak, default or stolen employee passwords played a role in 63% of security incidents. “Miscellaneous errors” accounted for 17.7% of the incidents, 26% of which were caused by an employee sending an email to the wrong person. Although these figures are by no means exhaustive, the message is clear. Despite knowledge of the danger and investment in employee training, a large percentage of cyber incidents continue to arise from employee errors.

Increased connectivity, personal devices and a 21st century workforce

Given the risk, one would expect that future changes in corporate strategy and technology will reduce the amount of behavior-based breaches. The truth, however, may be the opposite. Coming changes to technology, corporate policy and the composition of the workforce itself may have the potential to greatly increase the risk human behavior plays in data security. With more avenues for hackers to gain access to an organization’s system there are also more opportunities to fool employees into making poor decisions. The internet of things (IOT) is a term used to describe the increasing number of connected devices that capture and share data with one another. As technology advances, even seemingly innocuous items, such as kitchen appliances, cars and wearable technology will gather data about everyday lives and share it over a wider network. McAffe Labs’ 2016 Threats Predictions report noted that there were approximately 15 billion IOT devices in the 2015; by 2020 that number may grow to 200 billion. On the positive side, the IoT will allow businesses to collect massive amounts of new data, improving product design, safety and consumer satisfaction. At the same time, such data collection will make corporate networks all the more tempting as targets

Bring Your Own Device (BYOD) programs continue to increase in popularity. BYOD allows employees to connect their personal mobile device to corporate systems and access company data from anywhere. Aside from saving companies the cost of purchasing mobile devices, BYOD is highly convenient for employees. BYOD allows employees to stay mobile and connected on a single device while simultaneously enabling multitasking. Cloud-based computing also continues to gain traction in the corporate world. Employees now have access to important work information — and the corporate network — from anywhere.

Although companies can manage the risk created by BYOD through the use of encryption software and implementation, and enforcement of BYOD use policies, effective security requires a commitment from the users. While it is expected that employees who use their personal devices for work purposes may also download various apps, this practice poses a risk to organizations. In this regard, Ponemon Institute’s “May 2016 report, Managing Insider Risk Through Training and Culture,” noted that 54% of responding organizations are concerned about employees using unapproved cloud or mobile apps in the workplace. Therefore, it is imperative that employers include BYOD-specific training to employees, highlighting the potential risks in downloading suspicious apps. While the risks inherent in BYOD cannot be completely negated, through proper training they can at least be mitigated.

Finally, the Millennial Generation is becoming a larger percentage of the workforce. They are more tech-savvy than their older colleagues. Millennials are more comfortable sharing information on social media (including information that may not be appropriately shared) and more willing to experiment with new and untested technology.

In this environment of increasing connectivity and mobility, the need for employees to practice cybersecurity-conscious behavior is clear, but how can companies encourage such behavior?

Workforce culture as a solution

In May 2016, Willis Towers Watson published the results of a study analyzing the cyber risk inherent in employee behavior. We analyzed employee opinion results from more than 450,000 employees corresponding to a period during which significant data breaches were experienced within their organizations. The results were benchmarked against high performing companies (that had not experienced data breaches) and global information technology (IT) staff.

The study revealed that both the employees and IT professionals at impacted firms reported a lack of or inadequate training and leadership, suggesting that organizations may also not be keeping employees informed on the latest trends and attack vectors. And with respect to the IT professionals, employees specifically charged with the security of the company’s network, a lack of training at onboarding creates an immediate and potentially lasting blind spot.

Cybersecurity is largely the result of the decisions made by organizations’ employees each and every day. Teaching employees to practice regular security-conscious behavior, however, is easier said than done. Ultimately, investment in appropriate technology and a positive workforce culture that promotes training, company pride, and pay for performance can all help mitigate cyber risk, along with other risk mitigation strategies.