More than 90% of all cyber security breaches stem from human error. So, are organisations doing enough to train and educate their staff?

Employees who unwittingly give away their system ID and access credentials to hackers are an organisation’s weakest link. Indeed, a recent survey by StrategicRISK showed just how concerned risk managers are. Asked to rate nine cyber threats in terms of likelihood and estimated financial impact, they ultimately ranked social engineering fourth, based on average scores.

The most common, easy, low-cost way to gain access to systems and data is via a phishing attack. As the criminals become more sophisticated, such attacks are increasingly targeting specific individuals.

If you routinely and regularly phish your employees, that is a very good way to build up resistance over time

David Imison, Partner, Schillings

“If you get an email and it appears that the grammar is a bit iffy, most people would think that it is suspect,” says Eamonn Cunningham, former chief risk officer at Scentre Group. “Well, guess what? These days the phishers have identified this as a weakness and their product is a little bit more perfect. Therefore you need to improve your education regime, because the threat is evolving.”

According to Verizon’s Data Breach Investigations Report, one out of every 14 users were tricked into following a link or opening an attachment. Of these, a quarter went on to be duped again. Once phishing scams have found a way in, malware can be put to work to capture and export data – or even to take control of systems.

It is not always enough to educate employees on how to spot a spoof email. Increasingly, organisations are opting to carry out simulated phishing attacks to see how staff respond. “The thing that we do with clients, and that works extremely well, is to inoculate your employees against the risk,” says David Imison, partner at cyber security firm Schillings.

“I use the idea of inoculation because it’s a bit like being given a small amount of the virus so that you can build up the antibody,” he explains. “If you routinely and regularly phish your employees and test their ability to withstand these types of social engineering attacks, that is a very good way to build up resistance over time.”

Employee error doesn’t just happen lower down in an organisation. Mistakes by senior executives, such as emailing information to a personal account or losing a laptop or other device that contains sensitive information, have caused numerous breaches and data losses

Organisations should also be on the alert for disgruntled or radicalised employees in their midst. Training and education can minimise human error, but deliberate attempts to compromise systems and data require a different approach. Staff vetting procedures should keep tabs on who has access to which systems and how they are being used.

“Employee vetting as part of the onboarding process has become even more critical today, because of the increasing interdependency on IT and interaction between systems, than it was 15 years ago,” says Cunningham. “And because the consequence of a breach or weakness is more profound, you need to ramp up your efforts.”

Background checks are also important when it comes to third parties and suppliers. “Third parties are a huge area of risk,” says Imison. “I was chatting to some people at UCL recently about insider employee risk, and they had some really clever employee engagement tools that can spot what they call the “dark triad”, which is a mixture of personality traits including sociopathy, Machiavellianism and narcissism, all of which are more common than you might think. This all has to be done in a very open manner because you are also duty-bound to respect the privacy of your employees.”

The buddy system, where one employee is teamed up with another to approve certain actions and decisions, offers an important line of defence if a member of staff is behaving suspiciously. It is an effective way of monitoring individuals with access to sensitive data or key infrastructure, acting as a check for approvals and cyber access and encouraging colleagues to observe and intervene if necessary.

There may be no golden panacea, says Peter Hacker, cyber security and insurtech opinion leader, but there is a growing appreciation that when it comes to effective cyber security, it is no longer simply the responsibility of the IT department or the chief technology or chief information officer. “This is not just an IT security matter,” he adds.

“Top management cannot just delegate those responsibilities to their IT security. They need to be aware of what the data regulations are in their respective countries and what their obligations are as a director to act with duty, care and control. Cyber security needs to be top-down and led by the board.”

Over the next few years, says Hacker, the rapid advance of disruptive technology will present growing challenges for countries, organisations, corporations, regulators, legal systems and the broader financial services industry. To ensure all employees understand their obligations in such an environment, risk managers will need to work holistically.

“At its highest level, cyber security responsibility rests with the CEO and with the board,” says CraigSearle, founder of cyber security firm Hivint. “They are the ones that are held to account for breaches and that sort of thing. However, that responsibility should then permeate through the rest of the organisation.

“Certainly, there is an expectation that all staff have a part to play in keeping sensitive data, whether it be corporative information, customer information or personally identifiable information.

“It’s no longer acceptable for staff members to say, ‘That is not part of my role.’ The expectation that should come from senior risks managers is that everyone has a part to play in keeping data safe.