The biggest information security threat comes from within

In this NNIT Security Insights article, we discuss how the biggest information security threats come from within the company, and what can be done to minimize the risk.

Employees’ unconscious actions are now considered to be the biggest information security threat*. If a threat occurs within the company it can, however, be alleviated.

Companies and public institutions are increasingly exposed to cyberattacks. Cyberattacks are becoming more and more advanced and can potentially cause operational breakdowns with significant financial consequences to follow. An increasing share of companies’ IT budgets are used to improve IT security through technical solutions and process implementations. Employee behavior is, however, neglected despite the fact that it typically constitutes the biggest exposure.

Why are employees the biggest threat?

With multiple devices connected to various online services, we constantly give consent, download and click without hesitation. But one accidental click is enough to open the door to hackers. When employees are increasingly exposed to security threats without being able to identify them, the risk of unintentionally opening the door to hackers increases.

Employees are key to avoiding cyberattacks

The biggest threat can be turned into a strong defense against cyberattacks by building strong IT security behavior. Investing in employee behavior is, therefore, important in alleviating the threat of cyberattacks.

How is good information security behavior achieved?

A clear and professional information security policy is the foundation of good information security behavior, but the strength of the foundation depends on the employees’ awareness of it. Management must carefully articulate the values, which employees collectively have to protect, and what is expected of them in doing so. In order to succeed, management must provide appropriate training supported by ongoing dialog addressing the following questions:

• How can phishing and spam mails be identified?
• When is a link secure?
• What is a strong password?
• Why should passwords not be used in multiple logins?
• Why should passwords not be shared?
• Why should a PC be locked when leaving it?
• What are the risks of charging smartphones from a PC?
• Which types of USB flash drives are safe to use?
• Which apps can be safely downloaded on a work phone?
• When should data be encrypted?
• When is it safe to give consent in a pop-up?
• What should be done in case of a cyber attack?

It is important that employees know the answers to these questions and many more and are able to incorporate them into their daily behavior. Behavioral change is, however, time-consuming and requires ongoing efforts.

We humans like to do the right thing and would like to protect the companies for which we work. Nevertheless, we often do what is easiest, which may entail increased exposure to information security risks. Our experience as consultants shows that an information security strategy has to focus on behavioral design in order to be successful. Organizations have to think: How to make it natural and easy to act securely? This can be achieved by using simple nudging solutions such as having a plug in the USB port, which has to be removed before plugging in.

With a clear direction and appropriate training, employees can become key to avoiding cyberattacks.

NNIT has consulted and provided services to several companies to improve information security behavior. Please contact us for more information.

*Cybercrime survey 2017, PwC

Do you have anything to add? Do you think anything is missing? Please let me know and share your comments!

About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Cyber Defense Center. If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage.

You are welcome to contact us at [email protected] if you want to know more about how NNIT can help your business increase its information security level.