Helping Insiders Remain Focused on Security and Phishing Attacks

It’s taken some time – along with some highly publicized incidents – for many organizations to recognize that malevolent outsiders aren’t the only source of cybersecurity threats. An organization’s own employees, along with its privileged contractors and vendors, can also pose significant security risks. In fact, the threat from insiders is, in a way, doubled, since this type of   security breach can come both from workers motivated by ill intent as well as from those that inadvertently, and unintentionally, expose systems and data to attack.

Although it may seem counterintuitive, careless employees and other insiders can often pose a greater overall threat than malicious actors. The reason is a simple numbers game. Even a large multinational corporation is likely to have only a handful of insider malcontents actively working to penetrate its security barriers. Contrast that group with the organization’s thousands, or tens of thousands, of employees who through carelessness – or outsider trickery – can mistakenly expose an organization’s data assets to hackers, cybercriminals and others.

Fortunately, the threat of inattentive insiders is becoming an area of increased recognition and focus. For example, when asked by the security analyst firm The Ponemon Institute to name their employer’s biggest user-based threat, 44 percent of respondents to a June 2015 survey cited user negligence while just 30 percent cited malicious attackers.

From a security perspective, “user negligence” can cover a lot of territory. It ranges from downloading sensitive information to mobile devices that may then be lost or stolen to the use of obvious passwords that are rarely if ever changed. Of particular concern, however, is the growing success of sophisticated phishing attacks. In these attacks, outsiders send emails designed with social engineering techniques to appear legitimate, tricking the insider recipients to open attachments, click on URL links, or provide user names, password, or other proprietary information. In effect, the insider becomes an unwitting accomplice, giving the attacker various ways to infiltrate the organization’s systems.

For its 2015 Cyberthreat Defense Report, the CyberEdge Group surveyed more than 800 IT security decision makers and practitioners at organizations with 500 or more employees. The respondents indicated that phishing attacks were their top concern, outpacing malware, advanced persistent threats, denial of service attacks, and other threats. That high concern isn’t surprising, since another survey cited in AT&T Cybersecurity Insights: Decoding the Adversary found that almost one in three (31 percent) respondents admitted their organization fell victim to at least one phishing attack in the prior year.

Organizations can implement email filtering and other security tools in an attempt to block phishing emails before they even reach employees. Still, no technical barricade will ever be 100 percent successful, especially as attackers continually modify the email messages they send in order to slip through known defenses.

Ultimately, the best defense against phishing probes is a well-educated and always-alert population of employees and other insiders. Sadly, and alarmingly, most surveys that ask organizations about their security education and training efforts often find the programs to be infrequent, inadequate, or nonexistent. More organizations need to recognize that the money and effort they spend to build a more aware and more cautious workforce are minor costs compared to the damage that careless insiders can inadvertently cause.

Dwight Davis is an independent technology analyst and writer specializing in cloud computing, service-oriented architecture, cybersecurity, mobile computing and Web services.  All opinions are expressed are his own.  AT&T has sponsored this blog post.

Dwight Davis Independent Writer Researcher About Dwight