frogboy

Level 75
Verified
Trusted
Despite the perception that hackers are a company’s biggest cybersecurity threat, insiders, including careless or naive employees, are now viewed as an equally important problem, according to a survey by Dimensional Research.


Researchers found that 49 percent of IT security professionals surveyed are more concerned about internal threats than external threats. Malware installed unintentionally by employees was the top concern of respondents, ahead of stolen or compromised credentials, snatched data and abuse of admin privileges.

“Internal threats are emerging as equally as important as external threats, according to respondents. This means that an employee cutting corners to get their job done more efficiently is viewed as potentially just as dangerous as a malicious external hacker,” said Diane Hagglund, founder and principal of Dimensional Research. “Yet these views aren’t reflected in the allocation of security budgets, which is traditionally focused on perimeter security.”

In addition to concerns about insider threats, the report also analyzed cybersecurity training and end user engagement programs. While 95 percent of the companies surveyed provide end user security training, only 10 percent believe the training is very effective.

“Intentional or not, insider threats are real,” says Ajit Sancheti, CEO of Preempt. “Without real-time prevention solutions and improved employee engagement, these threats will not only increase, but find more sophisticated ways to infiltrate and navigate a network. The future of security practices rely on the ability to not only understand users and anticipate attacks, but also how to mitigate threats as quickly as possible.”

Insider threats are a growing problem for enterprises:

  • About half (49 percent) are more concerned about internal threats than external threats.
  • Top concerns are malware installed by careless employees (73 percent), stolen or compromised credentials (66 percent), stolen data (65 percent), and abuse of admin privileges (63 percent).
  • The majority of security professionals (87 percent) are most concerned about naive individuals or employees who bend the rules to get their job done; only 13 percent are more concerned about malicious insiders who intend to do harm.


End user engagement is critical to the success of security programs:

  • While 95 percent provide end user security training, only 10 percent believe the training is very effective.
  • 81 percent say end users are willing to learn, but only 25 percent say they are willing to put in the effort to learn.
  • 66 percent see value in providing real-time training and feedback when an end user does something they shouldn’t.
Security teams need additional solutions and approaches to help protect from insider threats:

Read More. Intentional or not, insider threats are real - Help Net Security
 
W

Wave

The employees are one of the worst threats for a company because 9 times out of 10 they will be responsible for the infection due to falling for a social engineering trick or just being careless - for example they may be fooled by a spoofed e-mail which claims to be coming from their attacker with an attachment which has a double extension and the icon of an MS word document, which then becomes executed and happens to really be ransomware which then spreads across the network with it's worm functionality and encrypts all the files and requests ransom payment.

Other scenarios is they could be not working properly on the job and may decide to check their Facebook, one of their friends may have been hacked and the attacker may have posted on their behalf a link onto their profile which the employee may click on -> resulting in infection.

You also get bad staff with bad intentions who will help someone compromise the network (e.g. to be paid a sum of money), and therefore may collect information such as what protection is in place which will give the attacker time to figure out how they would craft a sample to bypass that specific protection mechanism, etc.

That being said, even aside from infection of the systems through website links/e-mails, attackers can attempt to social engineer the employee via phone to obtain important/confidential information, or maybe they will walk into the work-place and pretend to be an I.T administrator and gain access to the system (and only short time is needed for the person in disguise to connect his USB and infect the systems), etc.

There are so many scenarios it is impossible for me to write them all out, but the employees at companies should be trained properly in cyber security and properly assessed before being given access to systems related to the company, or containing any important documents which need to stay confidential.

There's no point in a company having tons of defence layers for protection against malicious software if the staff are not trained properly because if you are the weakest link then no protection can save you, period. Same applies for home users; you are the fist line of defence, and this will never change and has always been the same since malicious software started to become widespread with virus infections.
 

In2an3_PpG

Level 17
Verified
Content Creator
The employees are one of the worst threats for a company because 9 times out of 10 they will be responsible for the infection due to falling for a social engineering trick or just being careless - for example they may be fooled by a spoofed e-mail which claims to be coming from their attacker with an attachment which has a double extension and the icon of an MS word document, which then becomes executed and happens to really be ransomware which then spreads across the network with it's worm functionality and encrypts all the files and requests ransom payment.

Other scenarios is they could be not working properly on the job and may decide to check their Facebook, one of their friends may have been hacked and the attacker may have posted on their behalf a link onto their profile which the employee may click on -> resulting in infection.

You also get bad staff with bad intentions who will help someone compromise the network (e.g. to be paid a sum of money), and therefore may collect information such as what protection is in place which will give the attacker time to figure out how they would craft a sample to bypass that specific protection mechanism, etc.

That being said, even aside from infection of the systems through website links/e-mails, attackers can attempt to social engineer the employee via phone to obtain important/confidential information, or maybe they will walk into the work-place and pretend to be an I.T administrator and gain access to the system (and only short time is needed for the person in disguise to connect his USB and infect the systems), etc.

There are so many scenarios it is impossible for me to write them all out, but the employees at companies should be trained properly in cyber security and properly assessed before being given access to systems related to the company, or containing any important documents which need to stay confidential.

There's no point in a company having tons of defence layers for protection against malicious software if the staff are not trained properly because if you are the weakest link then no protection can save you, period. Same applies for home users; you are the fist line of defence, and this will never change and has always been the same since malicious software started to become widespread with virus infections.
I agree with you 100%. The company i work for is finally looking into training for our employees after we were hit twice with Locky ransomware. Both times it came through email and both times it was the same department opening the file thinking it was legit. Thank god for backups. Even like the survey says, i still don't believe with that some of the people i work with can restrain themselves from opening before notifying the right person. Some are click happy. So i guess include me in with that 10% that believe training will be effective.

Thanks @frogboy for sharing.
 
U

uncle bill

Many years ago i worked for a small company. There lived a "strange" guy that used to use a single password for all and the password was the company telephone number. It took me 3 weeks to change all that mess and all i got from him was: "i'm going to crack your passwords and bypass your restrictions". Nice guy, isn't it? I'm really happy i don't have to work with him anymore because i'm sure he's still as stupid as he used to be.