(Updated on 10/15/2020)
It’s been well-reported that human error is responsible for the majority of cybersecurity breaches happening within organizations today. So why aren’t cybersecurity professionals examining the root of the problem: a lack of mandatory insider threat awareness training for employees?
According to the 2018 SANS Security Awareness Report, a comprehensive survey of more than 1,700 security awareness professionals, the main challenges of implementing cyber health training include a lack of dedicated staff, budget and time to execute successful programs. However, more organizations should consider dedicated security awareness training programs, as 85% of survey respondents reported their work had a positive impact on the security of their organization.
Why is Insider Threat Awareness Training Important?
As previously mentioned, employees are one of the greatest security risks facing organizations today. Unless specifically articulated, internal users and employees may not even be aware of the risk they pose to the organization.
Here are six statistics that make the case for insider threat awareness training:
Employee or contractor negligence is responsible for two out of three insider threat incidents.
According to insider threat statistics from a Ponemon Institute study, the majority of insider threat incidents are caused by employee and contractor negligence.
In other words, when an employees or contractors make a mistake, they are likely to cause an insider threat incident.
Keeping these stats in mind, organizations should be empowered to know that this problem is fixable. Make sure employees understand the cybersecurity policy, and regularly reinforce best practices that can help them avoid some of the common causes of accidental insider threat incidents, such as phishing attacks and credential theft.
Negligence-based insider threat incidents cost organizations an average of $3.8 million per year.
The same Ponemon study showed that accidental insider threat cost roughly $283,000 per incident, but due to their frequency, these incidents racked up to $3.8 million per year (not a small charge!).
If even just a portion of that budget went toward employing a full-time security awareness professional, that may be enough to implement an Insider Threat training program to substantially change employee behavior.
52% of users re-use their passwords for multiple services.
Since credential theft is a top cause of accidental insider threat incidents, you’d think users would be a little more diligent about their password hygiene.
Unfortunately not. According to a survey from Panda Security, 52% of people reuse their passwords for multiple services, or use similar, easily hackable passwords.
Consider this: if a single data breach causes a user’s password to be exposed and sold on the dark web, hackers could easily infiltrate multiple accounts with sensitive personally identifiable information (PII). The proper training, including awareness of password management and identity and access management technology, could avoid this problem.
Only 28% of people use two-factor authentication on their accounts.
Two-factor authentication (2FA), or multi-factor authentication (MFA) is a basic account security measure, which ensures that if a user’s credentials are compromised, their accounts still may be protected by a secondary form of authentication (such as a text message or code from an authenticator mobile app).
However, only 28% of people use 2FA on their accounts, according to a survey from Duo Security. To add insult to injury, more than half of survey respondents (56%) hadn’t even heard of 2FA at all. If employees understood that a simple measure could protect their accounts against intruders, perhaps these statistics would steeply decline.
92.4% of malware is delivered via email.
According to Verizon’s 2018 Data Breach Investigations Report (DBIR) 92.4% of malware is delivered by email. Unfortunately, users continue to be tricked by phishing attempts, social engineering, and rogue attachments made to look legitimate.
If employees received the proper coaching on hacker tricks of the trade, paired with situational simulations (e.g. simulated phishing attempts at irregular times to test their knowledge), these types of incidents could potentially be significantly reduced.
55% of organizations say that privileged users are their biggest insider threat risk.
A recent Crowd Research Partners survey shows that privileged users are the biggest insider threat concern for organizations. And they should be, considering that many high-profile breaches happen as a result of inadequate privileged access management practices and unintentionally exposed administrative credentials.
For example, Timehop’s recent breach of 21 million accounts happened due to a lack of MFA on an administrator’s cloud infrastructure account. Even privileged users need cybersecurity awareness training when it comes to protecting and properly configuring their accounts.
Insider Threat Awareness Training Reduces risk
If more organizations considered the impact of cyber health classes and regular insider threat awareness training, ideally the number of accidental insider threats could be dramatically reduced. As an added benefit, when people are empowered to take their cybersecurity into their own hands, it encourages a positive relationship between the cybersecurity team and employees as a whole.