Only A Few Employees Cause The Majority Of Breaches

In today’s increasingly digital world, it’s more important than ever to be aware of the risks your small business could face online. Cyber crime can impact businesses in several ways, and a cyber-attack has the potential to cause financial and reputational damage to a small business or sole trader.

As businesses of all sizes know, building a good reputation and earning customer trust takes years of hard work. Without the appropriate precautions in place, this can be destroyed in minutes if the business is targeted by a cyber attack.

Too often staff are putting their companies at risk from phishing, malware, and insecure browsing and staff who do this the most are often putting the firm at risk of cyber  attacks. Usually, it is a small group of employees who are often responsible for most of the digital risk in an organisation, according to recent research.

The Report, from the cyber security firm Elevate Security and the cyber security research organisation Cyentia have found that those responsible for putting their companies at risk from phishing, malware, and insecure browsing are often a few repeat offenders.

The research found that 4% of employees clicked 80% of phishing links, and 3% were responsible for 92% of malware events.

  • Four in five employees have never clicked on a phishing email, according to the research. In fact, it asserts that half of them never see one, highlighting the need to focus anti-phishing efforts on at-risk workers. 
  • The malware that phishing and other attack vectors deliver also affects a small group of employees. The research found that 96% of users have never suffered from a malware event.
  • Most malware events revolve around the 3% of users who suffered from two malware events or more, reinforcing the notion that security awareness messages just aren't getting through to some employees.
  • A small number of users are also responsible for browsing risky websites. 12% of users tried to visit sites that violate their organisation's browsing policy at least 750 times each in a year, causing security systems to block the session. These users accounted for 71% of all browsing violations.
  • Illicit browsers aren't always the same people responsible for phishing emails and malware. The report found 9% of users exhibiting high risk in only one category, and only 0.052% of users falling into the high-risk category for all three activities.

Companies can mitigate human error by including technical controls to block malicious emails, but performance here is mixed. Almost one in five (17%) of departments blocked no malware.

Departments were either very good or very bad at blocking phishing emails. More than half of departments block 95% of these mails, while one in ten block almost none. Those that receive the most phishing emails per year are more likely to block them.

The report found that block rates for both phishing emails and malware are not uniform within organisations. Individual departments have varying success rates at stopping digital toxins. "Simply making controls available or even requiring them isn’t enough," the report said. "Organisations have to be willing to also measure whether those controls are doing what they are supposed to be doing."

Small businesses are attractive targets because they typically lack the budget and resources to prevent, identify, respond to, and recover from threats.

No target has proved too small for hackers, who are constantly on the hunt for new opportunities. "No matter if it is education, government, health care, manufacturing or electricity, each sector has had many successful cyber-attacks in the past," says Candid Wuest, vice president of cyber protection research at cyber security firm Acronis.

Some criminals enjoy variety, focusing on specific groups for a while before they move on to the next group. Remote workers are sitting ducks for cyber criminals. Hackers can slip in through remote access entry points, including remote desktops and VPN access portals. You should make sure your remote workers are trained to spot phishing attempts, use two-factor authentication, and download the most recent updates of security software.

Elevate Security:    ITPro:     Forbes:   Inc.com:     Hosting Tribunal

For advice and recommendations on  cyber security staff training please contact Cyber Security Intelligence.

You Might Also Read: 

Employee Cyber Security Training Is Vital To Reduce Cyber Attacks:

 

« US Moves Cyber Defences To High Alert
Operating Technology Security Issues Are Increasing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CERT-AM

CERT-AM

CERT-AM is the national Computer Emergency Response Team for Armenia.

Athena Dynamics

Athena Dynamics

Athena Dynamics focuses on Cyber Security, especially in Critical Information Infra-structure Protection and Enterprise IT Operation Management products and Services.

Signifyd

Signifyd

Signifyd is the world's largest provider of Guaranteed e-Commerce Fraud Protection.

CyberGuarded

CyberGuarded

CyberGuarded are an accredited vendor independent information security testing and auditing company.

IBA Security

IBA Security

IBA Security is a center of competence consolidating the cybersecurity expertise of the IBA Group.

Recovery Point Systems

Recovery Point Systems

Recovery Point is a leading national provider of IT secure and compliant infrastructure and business resilience services.

EYE Security

EYE Security

EYE provides enterprise-grade cyber security services and cyber insurance to SMEs in Europe, Cyber Incident Response and strategic advice in board rooms.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Outsource Group

Outsource Group

Outsource Group is an award winning Cyber Security and IT Managed Services group working with a range of SME/Enterprise customers across the UK, Ireland and internationally.

Logically.ai

Logically.ai

Logically combines artificial intelligence with expert analysts to tackle harmful and manipulative content at speed and scale.

Metabase Q

Metabase Q

Metabase Q protects you from financial and reputational losses with more efficient and intelligent cybersecurity, using the best worldwide in technologies, processes and specialists.

HashDit

HashDit

HashDit products and services focus on helping build a safe ecosystem for both protocol users and smart contract developers on BNB Chain.

Cyera

Cyera

Cyera is the data security company that gives businesses context and control over their most valuable asset: data.

IBM Security

IBM Security

IBM manufactures and markets computer hardware, middleware and software, and offers hosting and consulting services in areas ranging from mainframe computers to nanotechnology.

ProvenRun

ProvenRun

ProvenRun is a leading provider of trusted software solutions with extensive expertise and an unwavering commitment to security.

Cynch Security

Cynch Security

Cynch Security are passionate about building a world where every business is resilient to cybersecurity risks, no matter what their size.