Over the last 12 months, 32% of all businesses identified cybersecurity breaches, according to the Cyber Security Breaches Survey. The most common attacks reported by companies that detected attacks were phishing (80%), impersonating an organization in emails or online (28%) and viruses, spyware or malware, including ransomware attacks (27%). All of these attacks take advantage of employees and pose significant risks to businesses.
An effective cybersecurity strategy must involve appropriate controls to maintain a base level of security, and a monitoring system to look for attempts to violate the policy, which should be underpinned by training for all employees. Many companies fail to consider that their people are as important as the software they use when it comes to protecting themselves against cyber threats.
Progressive technology provider Evaris is urging recruiters and HR managers to make the provision of basic IT training mandatory during the onboarding process for new employees to help reduce the risk of costly security breaches.
Lack of IT training in UK businesses
There is an assumption that new employees have at least a basic knowledge of IT and IT security, and despite companies understanding the threat that users operating within the infrastructure can cause, these skills are not being checked within the first month of employment.
A survey conducted by Evaris found that 65% of UK professionals did not receive mandatory IT training in their first month of employment in their current or most recent role. Of these individuals, 74% had never received any IT training at all in their current or most recent role, despite 86% of all respondents saying that they worked on a computer every day.
What’s more, there is a consensus that employers do not value the ongoing development of their IT skills. Some 45% of respondents said their employer takes the development of their IT knowledge either “not so seriously” or “not at all seriously”. Just 11% said they felt their managers take this issue “very seriously”.
How hackers target employees
There are a number of low-tech methods that hackers use to take advantage of employees – some of which may seem too simple to be believed. These methods include:
- Social engineering – hackers posing as people within an organization to obtain access to the network, for example, presenting themselves as a member of IT security and asking for a network password.
- Baiting – hackers use data captured about an employee to trick them into revealing information. An example is using the information listed publicly on LinkedIn to target a junior employee by posing as the CEO to request an action to be carried out.
- Unsubscribe buttons – hackers coax employees into downloading malware by hiding links to malware sites in email unsubscribe buttons, which must be included on all marketing emails.
- Keylogger – also known as keyboard capturing, this technique records and stores strokes of a keyboard and can often pick up personal email IDs, passwords and other sensitive data.
- Internal threats – current or former employees can gain unauthorized access to confidential data, or infiltrate a business’s network with malicious intent. This can include infecting machines with keylogging software or ‘shoulder surfing’ – the act of observing someone typing their password.
The relationship between personality and cybersecurity
Multiple studies have been carried out with the intention of exploring the relationship between personality traits and how they impact a person’s ability to comply with security policy or increase the risk of being a victim of cyber security. Whilst their findings vary and are never definitive, they do tend to share a common set of findings.
Individuals who are extroverted are more likely to violate cybersecurity policies when compared to conscientious or neurotic individuals. Social media users who rank highly in openness to experience are also more likely to set fewer privacy settings, which makes them vulnerable to attacks.
Women who are categorized as conscientious have a tendency to fall victim to phishing scams. However, there does not appear to be a correlation between a man’s personality type and his vulnerability to phishing.
In nearly all of the studies, the intent of an individual and their actual behavior can be very different, exacerbating the ability to predict security compliance behaviors. It is far too easy for an organization to adopt a one-size-fits-all approach to cybersecurity; however, this does not take into account the various personality traits of their users. For example, ‘neurotic’ individuals who feel they are diligently following a security policy yet are open to phishing attacks, the social media user for whom openness is the norm and will select the bare minimum of controls, and the renegade extravert who sees the violation of policy as a challenge are not considered in a ‘catch all’ security policy.
What should businesses do?
It is in the best interests of all businesses across the board to ensure their employees have all the knowledge, awareness and skills they need to help protect the company against costly cyber attacks and data breaches. This means ongoing education and training, with the active involvement of the company’s IT department.
Each and every person in the workforce – from the minute they start with the business – should receive training to understand data management, protection and disposal best practice. The threat of cybersecurity attacks should not be underestimated, and it is up to employers to ensure that their staff have the tools they need to ensure company data is protected at all times.
About the author: Mike Cohen, CEO at Evaris. He has more than 35 years’ experience in the IT sector, and is a respected thought leader in the industry and has held a number of senior roles, including interim management and managing director positions during his career.