Two recent cybersecurity incidents illustrate how employees can be targeted by threat actors or how employee action can result in a data breach:

Hackers accessed internal systems of a video game company after sending an SMS phishing text to an employee
A software company suffered a data breach after hackers obtained an employee’s credentials that were mistakenly posted in a public repository

Both these cyberattacks could have been avoided through greater security awareness which can be achieved through employee education. Before we explore cybersecurity education for employees in the enterprise, let us first understand how employee action can result in cyberattacks.

How Humans Can Cause Cyberattacks

An employee can cause a cyberattack through

Human Error – This could include sharing a password, leaving a laptop unlocked and unattended in a public place, or discussing problems faced in the IT infrastructure of the organisation in a technology forum in a way that allows the organisation to be identified
- Human error also includes creating business processes without following cybersecurity best practices in process design
Falling for Phishing – Phishing is a form of social engineering where the victim is manipulated into performing an action that has an adverse impact on the organisation, such as transferring funds to the attacker or opening an email attachment laced with malware. 91% of all cyberattacks are estimated to being with a phishing email
Intentional Action – An employee may deliberately initiate or enable a cyberattack against their employer due to dissatisfaction or greed.

How Employee Education Can Prevent Such Attacks

Educating employees can help mitigate the human factor in cyberattacks. We will examine how education addresses each of the factors mentioned above.

Human Error

Many enterprises do try to create employee cybersecurity awareness by putting up posters that warn against sharing of passwords or by conducting a floor walkthrough at lunchtime to identify unlocked computers. Such measures have limited success as they do not make employees identify with the need for cybersecurity. Employee education that focuses on how enhanced cybersecurity benefits the employee as well as the organisation can help employees understand the importance of cybersecurity from a practical viewpoint and apply their training when completing their tasks.

Employee education does not imply a one-size-fits-all approach. Training programmes can be customised to suit the needs of teams e.g., the IT team will require training that emphasises the technical aspects of cybersecurity, such as identifying and closing gaps in cyber defences and investigating malware reports, to improve their ability to build and maintain effective cybersecurity; end users will not require such technical training and will be better served by education on cyber hygiene.

Employee education also enables decision makers to adopt a ‘shift-left’ approach and prioritise cybersecurity in their initiatives. This can range from choosing vendors who have a track record of providing frequent and timely security updates for their products, to incorporating cybersecurity in strategic planning.

Falling for Phishing

As explained previously, phishing is a form of social engineering. Phishing may be difficult to counter with technology solutions, such as endpoint protection, as it may not involve malware or malicious links, and may occur on an employee’s device through their personal use of web resources. For example, the attacker may approach a member of the IT team on LinkedIn posing as a recruiter; a job interview may be conducted with questions designed to gain information on the IT infrastructure of the target organisation and that information may be used to launch an attack.

Employee education that highlights the various phishing methods used by threat actors to gain the victim’s trust will help employees spot phishing attempts in their personal and professional lives. Employee education also helps decision makers realise that corporate culture can play a role in making phishing easier to accomplish, and change how the organisation functions. For example, a culture where the boss is obeyed without question enables phishing as the attacker can impersonate the boss via email and send a request for transfer of funds to the attacker’s bank account; organisations that are aware of this risk can change their culture and introduce a maker-checker system for all payments including payments requested by senior leadership.

Intentional Action

Intentional action by employees, also known as internal attacks, is the most difficult to defend against as the attacker is familiar with and has access to the organisation’s infrastructure. The attacker may even be a senior employee who enjoys elevated privileges that can be used to cause severe operational disruption.

Employee education may not stop a disgruntled employee from launching an attack, but can help other employees spot the impending attack and take preventive action e.g., an employee may become suspicious due to unusual activity from the attacker, such as requesting access to data unrelated to their responsibilities or attempting to enter restricted areas.

Employee education can also make management aware of the potential for intentional malicious action and change internal practices and processes to avoid concentration of power in the hands of a few by implementing a system of checks and balances, mandating the principle of least privilege at all levels of the hierarchy, and requiring elevated privileges to be removed as soon as the task for which they are required is completed.

Frequency of Employee Education

Employee education cannot be a one-time exercise as cyberattacks keep evolving and employees’ knowledge and awareness of cyberattack techniques will need to be refreshed. Formal training, in the form of a session conducted by knowledgeable cybersecurity practitioners, will need to be conducted at least once a year. Other forms of education, such as email advisories, can be utilised as dictated by the urgency of the threat.

K7 Academy delivers enterprise cybersecurity education for technical and non-technical audiences, backed by K7’s 30+ years of expertise in cybersecurity. Contact Us to learn more about our cybersecurity training programmes and how we can help your organisation counter the human factor in cyberattacks.