You Are the Weakest Link (in your Cyber Security)
With cyber attacks on UK businesses tripling last year, from more than 2.39 million in 2022 to 7.78 million in 2023, and half of UK businesses stating that they had been the target of a cyber attack or data breach, it is essential that businesses ensure that they have comprehensive cyber security solutions, services and policies in place to be able to protect themselves from these growing threats.
However, solutions, services and policies are only part of a comprehensive cyber security strategy, and with around 96% of UK businesses stating that their employees have been targeted in phishing attacks in 2023, it's clear that cyber criminals consider the human element to be the weakest link in your cyber defences.
Despite advancements in technology and robust systems in place, employees often inadvertently pave the way for cyber criminals, and we want to ensure that your employees are prepared to combat these evolving threats.
Why are your employees a risk to your Cyber Security?
Cyber attacks and data breaches involving the human element account for a staggering 74% of all incidents. This includes errors, misuse of privileges, use of stolen credentials, and social engineering attacks.
Social engineering has proven extremely lucrative for cyber criminals, with phishing attacks on UK businesses reaching around 96% in 2023.
But it is important to consider that employees, regardless of their role or level within your business (even Owners and Directors), are prone to errors that can lead to significant cyber security breaches.
Common mistakes include accidentally downloading files which contain malware, using weak passwords, not using enhanced account security features (such as MFA), visiting unsecured websites, using unauthorised systems to share data, and much more.
These actions can lead to data breaches, regulatory fines & financial losses, and severe damage to your business reputation. Let's look at these in more detail;
- Malicious Email Attachments: For the longest time, email has been known as one of the biggest targets for cyber criminals as they are targeting the human element of your cyber defence, often inadvertently leading to the download malware through email attachments or by clicking on malicious links. It is reported that 96% of UK Businesses received a form of phishing email throughout 2023. And, with the rise in Session Token Hijack attacks, it is more important than ever that businesses ensure that they educate their employees on these common threats and put measures in place to protect their business.
- Weak Passwords and Poor Password Management: Despite widespread awareness that weak passwords are a cyber security threat to businesses, they remain a significant issue. Employees often do not have complex enough passwords, often reuse passwords across multiple platforms, or fail to update them regularly, making it easier for attackers to gain access. Similarly, many businesses often do not enforce complex password policies or multi-factor authentication by default, often leading to targeted attacks on weak credentials, especially those which have been leaked on the dark web. Studies have shown that a considerable percentage of data breaches occur due to compromised passwords, stressing the importance of robust password policies.
- Unsecured/Malicious Websites: Employees might inadvertently visit malicious websites, exposing the network to cyber threats. This could be done by clicking a link in an email and being guided to a site that looks legitimate. These websites can then download and install malware, steal your business data, and more, further compromising the security of your business. This underscores the need for comprehensive cyber security monitoring and tools to actively protect from these types of threats, such as Active Email Threat Protection, which uses AI (Artificial Intelligence) and Machine Learning to monitor emails for malicious files or links that could be used to steal your data.
- Use of Unauthorised Systems: The rise of remote working has led to an increase in the use of personal devices for work purposes, and often work devices for personal purposes. These remote devices may lack necessary security measures and active monitoring, creating additional vulnerabilities in your IT infrastructure. Shadow IT, where employees use unauthorised applications and devices, poses a significant risk as these systems are often outside the IT department’s control and monitoring capabilities.
The Costs of Human Error
Whether it is financial penalties, loss of customer trust, or reputational damage, these are all common outcomes that could cause significant damage to your business. A recent survey revealed that 75% of respondents rated cyber security incidents they had experienced as 'serious' or worse, highlighting the significance of the situation for their business.
Financial Losses: The financial impact of a data breach can be devastating, in many cases even resulting in the closure of businesses because of a major data breach or cyber-attack. This includes direct costs such as regulatory fines, legal fees, and compensations, as well as indirect costs such as loss of business and diminished customer trust. The 2023 Cost of a Data Breach Report by IBM indicated that the global average cost of a data breach is approximately $4.35 million.
Reputational Damage: As mentioned, a cyber-attack or data breach, especially as the result of human error which could have been prevented, can severely damage a business’ reputation. Customers expect their data to be handled securely, and any breach can lead to a loss of trust. This can have long-term implications, affecting customer retention and the business’ ability to attract new clients. Ensuring that a business has a comprehensive minimum cyber defence level and can provide training on common cyber threats for employees is essential. Adhering to standards such as Cyber Essentials and Cyber Essentials Plus ensures that businesses are displaying that they take their cyber security practices seriously for both their customers and potential clients alike.
Operational Disruption: Cyber-attacks can cause significant disruption to business operations. It is estimated that the average downtime from a cyber attack is 21 days, resulting in a loss of productivity, and additional costs associated with restoring systems and data. For businesses that rely on their digital infrastructure to effectively operate, this disruption can be particularly damaging.
How do you improve the Human Element of Cyber Security?
To address these vulnerabilities and potential dangers to your business’ continued operations, businesses must adopt a multi-faceted approach that combines comprehensive advanced technology with human-centric strategies:
- Training and Awareness: Continuous education for all employees on Cyber Security best practices, common threats & methods of attack is crucial. Regular training sessions can help employees recognise phishing attempts, understand the importance of strong passwords, and follow secure data sharing policies.
- Ongoing Training & Evaluation: Effective Cyber Security training and ensuring that your business covers evolving cyber security threats as an ongoing process rather than a one-time event. Interactive sessions, phishing simulations, and regular updates on the latest threats can help keep employees vigilant and informed. Paired with regular cyber security assessments and penetration testing, businesses can ensure that they are securing holes in their digital infrastructure, resulting in fewer successful attacks.
- Awareness Campaigns: In addition to formal training, awareness campaigns can reinforce key messages. Posters, newsletters, and reminders about Cyber Security best practices can help maintain a high level of awareness for all employees, new and old, fostering a culture of cyber awareness and preparedness.
- Implementing Strong Policies: Establish clear Cyber Security policies and ensure they are adhered to. This includes the use of multi-factor authentication, strong passwords, restrictions on the use of personal devices for work-related activities or accessing business systems, and much more besides.
- Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide two (or more) verification methods. This significantly reduces the risk of account compromise, even if account credentials are leaked on the dark web.
- Zero Trust Architecture: The zero-trust model operates on the principle that no one, whether inside or outside the network, should be trusted by default. This approach requires continuous verification of user identities and strict access controls to secure data and systems which link into the Principle of Least Privilege Access.
- Principle of Least Privilege Access: Implementing strict access controls ensures that employees have access only to the information necessary for them to complete their role effectively. This principle of least privilege helps to limit the potential damage in case of a breach, reducing the risk of a compromised salespersons device being able to grant criminals access to financial or HR data, and so on.
- Next-Generation Security: Advanced cyber security tools such as Endpoint Detection & Response, paired with Application & Device Ringfencing and SIEM can detect unusual activity that may indicate a security breach. Using AI and Machine Learning to analyse patterns, identify anomalies, and much more. By integrating these advanced tools businesses can ensure that they are able to respond quickly to potential threats, and with the support of solutions such as a Security Operations Centre (SOC) can ensure that cyber security professionals are on hand to actively hunt out and prevent these threats.
- Engagement and Communication: Security leaders should actively engage with all levels of the business, including the board of directors, to ensure that regular assessments take place and corrective actions are implemented, ensuring a unified approach to Cyber Security. Regular updates and transparent communication about potential threats and breaches can foster a more security-conscious environment across the entire business.
It is important that businesses and employees understand that Cyber Security is not just an IT issue, it is a business continuity issue. Regular training, assessments, and cross-departmental meetings can help identify potential risks and develop comprehensive strategies to address them. Recognising the human factor as the weakest link in your cyber defence is a critical component of a comprehensive Cyber Security strategy, ensuring that businesses can take proactive steps to fortify their defences.
At TwentyFour we work with businesses throughout the country to ensure that they have the solutions, policies, education and technologies implemented to ensure they meet our minimum cyber defence level.
We perform regular penetration testing and cyber security assessments to ensure that they stay protected from evolving threats. If you would like to find out more, or take our FREE Cyber Security health check, fill out the form below.