Any organization can flourish until its security is intact. An organization’s security can be considered as a chain. Since a chain is made of links, an organization’s security is comprised of links that can be either an antivirus or a secured network. However, in the People-Process-Technology triad, the most important as well as the most vulnerable link of this chain is the people. People who work for an organization and run it. Cyber security is largely dependent on this link. A report says that 78% of the security professionals believe that the biggest threat to this chain is the negligence and ignorance of employees. Around 9.3 insider threats per month impose a huge danger to this chain.
Attackers understand the human psychology extremely well and hence, successfully victimize this weakest link of the security chain. Our negligence such as the inability to abide by the compliance, can cost an organization thousands of dollars.
Even machines are susceptible to error, let alone humans. Since technology and humans are in a symbiotic relationship, the possibility of loopholes and mistakes increase manifolds.
Organizations need to strengthen this extremely weak and vulnerable link since most of us can be easily targeted.
Why do attackers target employees in an organization?
- For IP thefts: Attackers can attempt attacks for the theft of contractual information, source codes, client details, employee details and other confidential data.
- For monetary benefits: Attackers can easily earn huge sums of money by hitting the system of an employee with ransom wares. In order to retrieve data, people pay the ransom even though there is no guarantee of getting back their data.
- Mirroring FBI: If things take worst turn, attackers are employed by organization to spy on their rival organizations for the purpose of winning the race.
- Defaming an organization: Attackers can hack into an employee’s system and misuse the sensitive information against the targeted organisation.
- Collapsing like a house of cards: Attackers can be so strong and malicious that they can even destroy an organization. Data is the most crucial and important part of an organization’s foundation. Once an attacker gets his hands on the data, that organization will definitely collapse like a house of cards.
Why is it so concerning?
Malicious attackers are the social engineers. Social engineers exploit the fallible human behaviour and are able to target industries like telecom, cloud services consumer internet, healthcare, e-commerce etc. Healthcare Industries as well as BFSI are on the top of the hitlist in the books of hackers in order to leverage the negligence of employees. As a matter of fact, approximately 60 percent of the businesses became the victims of social engineering attack in 2016.
How can we reduce vulnerabilities?
By taking a number of measures, we can reduce the vulnerabilities in a system:
- Employees should be enlightened about these attacks in detail with the help of in-depth training sessions that ensures the employees ‘ability to shield themselves against various attack vectors.
- Regular People Risk Assessment should be conducted for every employee that can help in the reduction of cyber risk.
- Vulnerability Assessment and Penetration Testing (VAPT) should be conducted on a periodic basis in order to reduce threat-posture of an organization.
Enterprises that lag in prioritizing the proactive risk assessment and security awareness can only rely on luck till the date they are hit by an attack and are forced to spend mammoth amount of money on mitigating PR nightmares against scandalous data breaches.
In the words of Russ Verbofsky, CIO & CISO at the New Mexico Department of Game and Fish, “You can pay me today or tomorrow but tomorrow includes a press release that will describe how we were not proactive in protecting our systems and data.”