Employee Negligence: The Greatest Mobile Threat is Sitting in Your Office
A careless employee who leaves his unlocked smart phone in a taxi poses as much danger to his employer as a disgruntled worker who leaks company information to a business competitor. An employee who is not trained in security best practices, has a weak password, visits unauthorised websites, clicks on links in unsolicited and suspicious emails and blindly opens email attachments, poses an enormous security threat to his employer’s systems and data.
–Salleh Buang, NST
According to current estimates, 71 records are lost or stolen every second. That’s over 250 thousand per hour or six million per day. In the past six years, there have been nearly 15 billion such incidences.
More often than not, the people responsible for these breaches have a very familiar face. They are people you trust, because if you didn’t, you never would have hired them.
You don't have to break in if you already live there
Generally, hackers have to do a fair amount of work to break into your systems. Employees, however, have the keys handed to them. Depending on the level of permission (or how careful you are with restricting access) employees, contractors, interns, vendors, customers – any number of people – have some level of access. After all, they need it in order to work or do business with you.
Naturally, a great majority of these people have no intention of breaking that trust. Yet, insider threat is very real and extremely costly. Last year, Ponemon Institute interviewed hundreds of IT and IT security practitioners in Asia Pacific, Europe, Africa, the United States, Canada and the Middle East. It found that: ‘Large organisations with a headcount of more than 75,000 spent an average of US$2,081 million (approximately RM8.7 billion) over the past year to resolve insider-related incidents.
To deal with the consequences of an insider incident, smaller-sized organisations with a headcount below 500 spent an average of US$1.80 million (RM 7.1 million). Companies in financial services, energy & utilities, and industrial & manufacturing incurred average costs of US$12.05 million (RM50.3 million), US$10.23 million (RM42.7 million) and US$8.86 million (RM40 million), respectively.’
Unintentional actions with severe consequences
The same study discovered that the majority of data breaches are accidental rather than deliberate invasions. Ponemon Institute’s analysis of 3,269 insider related incidents (including malicious attacks, credential thefts, and simple negligence) showed that 63% were caused by careless or negligent employees. While the cost per incident was not as high as for stolen credentials, the sheer frequency added up, making carelessness the most expensive of all insider threats.
That’s not to say that individual cases of employee negligence never incur huge costs. In 2016, a careless Uber employee’s credentials was used to steal personal information of 57 million Uber users and drivers, including 138 million in Malaysia. Financial and reputational losses to the company were extreme.
Types of negligence
Negligent employees (and contractors, interns, vendors or anyone with access to any part of your organisation’s systems or data) are those who are either unaware of threats or simply do not take them seriously enough. This leads to careless and potentially catastrophic practices, including:
- Downloading dangerous apps
Tempted by a cool new app, especially when it’s free? That’s exactly what hackers want because that is where they hide their adware, spyware, ransomware and other mobile threats. Malaysian business owners should be especially concerned by this; incidences of ransomware have been growing at a faster rate in our country than in our Western counterparts. In addition, the density of drive-by download pages, where devices are infected by simply visiting a website, is higher in Malaysia, Indonesia, and Taiwan than anywhere else in the world.
- Interacting with unverified content
In 2014, hackers gained access to Yahoo’s network (and the accounts of 500 million users) when one Yahoo employee clicked on a malicious link. In 2018, an overwhelming 92.4% of all malware was delivered by email. This year hackers created replicas of the Malaysia Airlines website, offering visitors prizes in return for their personal data. Phishing attacks, malicious URLs, man-in-the-middle attacks, and so much more can happen when an employee unwittingly opens the wrong email, link or attachment.
- Using easily hackable passwords
Passwords are among the oldest, most familiar forms of online protection. Yet, in spite of countless campaigns, reminders, and news stories about spoofing, tampering and information disclosure, password safety is still widely neglected. For example, one recent survey showed that one in 10 people use a single password for all their accounts. More than half of all people use the same few passwords across various accounts. In other words, it is likely that at least some of your employees are accessing your systems with the same password they use for personal, easily hacked sites.
Keep in mind that these are just a few examples of employee negligence. Employees are also guilty of not securing their devices (hackers who get their hands on lost or stolen devices – especially unsecured ones – can gain access to all sorts of stored data), not updating their operating systems or apps with the latest security patches, or even making mistakes that compromise data and system security. In 2017, ‘breaches related to misconfigured cloud infrastructure’ had increased by 424%.
The good news is that carelessness is fixable. In our next article, we will discuss immediate steps you can take to reduce the mobile threat to your company.