How Employees Are Your Weakest Cybersecurity Link

As IT is shifting toward the cloud and SaaS applications, cybersecurity is changing. One thing that remains constant, however, is the fact that your employees can ultimately be your weakest link when it comes to cybersecurity.

This is a big part of why organizations and even small businesses are starting to utilize Zero Trust security frameworks.

With Zero Trust, there’s micro-segmentation, and there are additional authentication measures like multi-factor authentication and single sign-on. Zero Trust can help prevent lateral movement if there is infiltration from a bad actor, which could stem from a mistake on the part of an employee, such as password reuse.

Credential breaches remain one of the top causes of data loss, even with all we know about cybersecurity.

Employees, no matter how well-intentioned, remain a top weakness, and this tends to be worsened by remote and hybrid work. With remote and hybrid work, your employees might not follow cybersecurity guidelines as closely as they would otherwise, and they’re constantly working from different environments.

Understanding how your employees can become your weak cybersecurity link can help prevent some of the situations that would otherwise occur.

The Numbers

According to an IT Governance report, of interviewed senior executives, 54% said they felt their employees were the greatest threat to their cyber security, while only 27% said hackers were. Twelve percent said they feared the biggest threat was from state-sponsored attacks, and 8% named corporate rivals.

A Tessian study found that 88% of data breaches resulted from or involved human error. The same survey found that 43% of employees said they’d made mistakes at work that could compromise cybersecurity. Fifty-eight percent said they’d sent a company email to the wrong person, often citing reasons like being tired or distracted.

In the 2021 Data Breach Investigations Report from Verizon, it was found that 61% of all breaches involved credential theft, including usernames and passwords. Credential phishing made up two-thirds of all the malicious messages tracked in 2020 by Proofpoint.

Credentials are incredibly valuable to cybercriminals because they can use them in so many ways.

Ransomware attacks are becoming more targeted. Presently, attacks are often multistage, meaning the cybercriminals will do their research and work to identify who could potentially have privileged access. Then they target that person with phishing emails that steal their credentials when the target clicks it.

Then, once the cybercriminal has the credentials, they can log in and deep-dive into their research.

Criminals can also use the accounts they hack to send convincing emails to employees that appear to come directly from company officials.

Why Are Employees the Weak Link?

It can sound harsh to call employees the weak link in cybersecurity, but it refers to everyone at any level in an organization. In fact, it’s becoming increasingly popular for scammers and bad actors to target executives and high-level company officials.

The pandemic has worsened many of the things that make employees weak links.

For example, there’s a lack of oversight when employees are working remotely. They may not be following best practices. Employees are doing things or not doing things that they would in the office.

They’re logging into numerous accounts and applications each day, and there are increasingly blurred lines between personal things people are doing on their devices and their work. They’re reusing passwords to make things easier for themselves, and they’re not always paying attention to their emails in a way that would allow them to be mindful of cybersecurity.

Employers may also be offering less training than they were before the pandemic when most employees were onsite, and when they’re onboarding new employees, they may not be doing it as comprehensively as they once were.

Another big risk that’s been heightened during the pandemic is the use of unsecured networks. Employees are working in cafes, coffee shops, and sometimes around the world. If employees are working in a remote location, they could be the victim of what’s dubbed juice jacking. In this situation, a wireless charging port is hacked, and cybercriminals can record what’s being watched or written on a device. They can also download programs to the device.

Specific Threats

Some of the specific threats to address that relate to employee weaknesses and errors along with using unsecured networks can include:

• Phishing: These attacks remain the most popular way for bad actors to gain access to what they want, and at their core, they’re not incredibly high tech. What they do instead is capitalize on human error and weakness. Phishing will lure people into providing sensitive information, and these attacks are growing in how convincing they are.

• Password reuse: We talked about this briefly above, but password reuse is a huge problem. Most employees are using the same passwords over and over again across devices and for personal and work reasons. Then, when a bad actor obtains their credentials from a website, even if it’s not work-related, they may be able to use those to access other things. Some employees are even found to be using work emails to join personal sites and forums.

• Installing malicious apps: Employees might be duped into downloading and then installing an extension or app, and it can contain malware.

• Unsecured data storage: Sensitive data shouldn’t be stored within a site that’s not secure or on an unsecured device, yet this is something employees continue to do.

• Losing devices: If an employee leaves a work device unattended, it can be lost or stolen. If it’s unlocked, that becomes even more problematic.

Finally, something as simple as employees with weak passwords can lead to significant vulnerabilities for an organization. Around 44% of employees say they have insecure passwords at work. This makes it all too easy for a hacker to crack their password and potentially gain access to your entire organization, depending on how you structure your approach to cybersecurity.

No matter how your employees are working now, including when they’re fully remote, adequate security training remains your best protection against cybersecurity threats.