What is insider threat?
Your people are the beating heart of your business. Whether it’s those on-site taking measurements for a new build, the administrative assistants processing student applications, or even the office manager printing out important documents – everyone plays an important role. But at the same time, everyone is human and susceptible to error. And in today’s online working world, that comes with serious security risks.
Insider threat refers to people working within the business, whose errors can threaten business security. Unfortunately, even the smallest employee mistake can have big repercussions. This is especially true for small and medium-sized enterprises (SMEs), where the impact of an attack can prove critical for the business. Cybercriminals already know that the weak spot in a business’ digital defence is the employees working there. They depend on individuals lacking training or diligence, for instance when they log on or reply to an email, and hope employees are unaware of the risks.
To uncover how businesses are at risk of insider threat, we conducted research with SMEs across Europe. Speaking to 5,770 IT decision makers in business sectors such as construction, legal, education, and healthcare – our findings shed light on the online vulnerabilities and concerns. As it stands, almost four in ten (37%) of those surveyed believe employees not following training or guidelines is a significant risk to the effectiveness of IT security. But there’s more to the story.
The human error challenge
Your digital defence is only as strong as your trained workforce. Even with traditional business security systems in place, human error can make cyber protection ineffective. It’s not surprising, then, that a third of our respondents cited a lack of employee knowledge or training as something that has increased IT security concerns.
A whole range of common mistakes can lead to a security breach. Maybe your marketing executive accidentally sends sensitive customer information to the wrong account. Or maybe a teaching assistant mistakenly follows a malicious link in an email, exposing student data (an attack known as phishing). It could even be the case of someone making copies of confidential pages at the office scanner, but forgetting to remove the original document from the tray afterwards.
Of course, there are different factors at play. Employees might simply not know the risks, significantly weakening any defence against them. Many employees in the business might not respond to training requests, because they are too busy or because they think they’re already trained. Some may even be compliant with business security practices, but prone to the occasional error. Let’s take a look at what our SME findings revealed.
What the research shows
Let's see what the European SMEs we questioned had to say.
Every business, big or small, uses email to communicate in some way. Junk folders can be quite good at automatically filtering out spam from unknown senders. But as cybercrime becomes more sophisticated, phishing attacks (where individuals are tricked into disclosing, modifying, or deleting sensitive information) are rising. Now the most common form of cybercrime, phishing attacks depend on your employees making an error in judgement. At the same time, malware attacks can happen when devices on your network (including your phones, tablets, and printers) are not fully secure. Each attack can lead to devastating outcomes, and 20% of the SMEs we surveyed cited data loss as their biggest business security concern. To avoid mistakes happening, business leaders should ensure their employees are fully aware of what to look out for in every email, and the implications of not checking properly.
For all its benefits, hybrid working has escalated concerns over security technology risks for SMEs. At the same time, 29% are now also more concerned because of employees using their own devices. While many employees will work between the office and their home, some may choose to work in cafes or co-working spaces, where networks aren’t secure. Despite this concern, nearly three-fifths (59%) of SMEs have not increased IT security training since moving to a hybrid model. The combination of potentially insecure networks and out-of-date security knowledge means there’s fertile ground for mistakes.
Lots of sensitive data is handled in businesses every day. Whether that data belongs to students, patients, customers, or the business itself – there’s no denying that it should be handled with care. And it’s not just from a malicious email link where it can be exposed. Breaches in data security can happen at any end-point (devices connected to the network) – from your office printer to employee tablets. Unfortunately, as only one-third of SMEs have security in place to cover printers, many aren’t covering all bases – and not all employees will even know where the risks lie. In fact, one-third of SMEs are either not particularly confident (14%) or not confident (15%) that employees have adequate knowledge of IT security risks.
Blending the human with the digital
Taking our research into consideration, SMEs should make mitigating insider threat a top priority. There are two different approaches to doing this effectively – both of which are equally important.
First, understanding and addressing the human side of security within the business. It’s important to build an online security culture that reaches all employees, not just your IT department and office workers. Everyone from those delivering goods to answering the phones should have security best practices at the forefront of their minds when working. A way to test employee responses in a safe and precautionary way can be by simulating ‘phishing assessments’, where fake malicious emails are sent out by the business. Another is by making online security training mandatory for all employees to attend.
Second, get the technology right. While insider threats come down to the actions of humans, technology can help to prevent mistakes – and a multi-layered security approach will help to cover all bases. This would essentially include a range of security controls, regular risk assessments and training, more regular penetration testing (where your network is tested for third-party accessibility), as well as round-the-clock monitoring. Striking the balance between technology and reminding employees of the role they play is key.
Mistakes happen, cyberattacks don't have to
Just like everybody else, employees will make mistakes. Whether you’re a business director or an admin assistant, accidents happen. But that doesn’t mean cyberattacks have to. Providing adequate training and increasing employee awareness, diligence, and accountability will help minimise errors leading to genuine harm.
If or when a mistake occurs, it’s important to have the right cyber protection in place. At Sharp, we help SMEs build a robust digital defence, by ensuring they have the appropriate level of cyber protection in their businesses today. Our comprehensive range of tailored security services and solutions lend an extra layer of defence to your business security systems.
Discover more ways to stay protected
Explore the Real World Security hub for more content about SME cybersecurity risks today.